Updated Security researchers claim to have uncovered a variety of serious security holes in a heavily touted secure email server technology. Nomx, the firm behind the device, strongly disputes the claims and has challenged researchers to a hacking challenge, involving the creation of an email account on a designated remotely hosted nomx device.
Nomx launched its email server hardware at the CES trade show in Las Vegas back in January. Its marketing trumpets that "nomx ensures absolute privacy for personal and commercial email and messaging" adding, "Everything else is insecure".
After an inspection of the hardware for the BBC, researcher Scott Helme claimed he had quickly uncovered all sorts of shortcomings.
The device is running standard mail server software on a Raspberry Pi, most of which is outdated, claimed Helme. Worse yet, nomx's web interface presents a serious CSRF (Cross-Site Request Forgery) vulnerability, he alleged. In addition, the device can't receive updates, a basic security requirement, he said. These and other flaws are detailed in a long blog post (complete with screenshots and other details) here.
"They make some very bold claims but the device is awful," Helme told El Reg. "I have a full remote compromise.
"There are three different ways to exploit the CSRF, all of which they claim to have patched but [they] haven't made a patch available to me."
The range of potential exploits on the device is extensive, according to Helme.
"I can read your emails, delete your emails, send emails, [or] create my own email address on your device to log in and use," he said.
Will Donaldson of nomx strongly disputed all of this, claiming that Helme is trying to discredit nomx – which Helme denies. Donaldson said that nomx had addressed the CSRF issue highlighted by Helme, the impact of which he also disputed.
"The CSRF vulnerability he disclosed, if present on any nomx device, could potentially have allowed access if the users were on the management page of the nomx device and visited a hacked page or malware site," Donaldson told El Reg in a lengthy email. "With routine email use, it did not have any relevance and could not occur unless the management page was accessed while simultaneously going to a third party website."
He added: "We've resolved that issue with any of our users who could have been affected and no longer provide that version of nomx."
Helme responded: "They claim to have resolved the CSRF issue but haven't provided me with the update or details on how they did it. I can't see any update mechanism or feature on the device."
Professor Alan Woodward, who worked with Helme in analysing the device as part of an investigation initialised by BBC consumer tech branch Click*, told El Reg: "The only part that could be considered 'different' to normal email servers is the box-to-box communication. However, as far as I can tell this uses a standard part of Postfix: transport tables.
"I had assumed initially that there was going to be some new protocol with out-of-band comms for key exchange or similar. But it's just an email server using TLS with locally held IP addresses for where to send specify email traffic," he claimed.
What's in a name?
The name nomx (no mail exchange) was chosen for the kit because it is designed to skip vulnerable third-party mail exchange servers.
Donaldson offered a description of nomx's design aims. "Our primary goal is keeping messages off vulnerable third-party servers. We do that by forcing emails to go through certain routes on the internet instead of using traditional email relays that copy these messages and are vulnerable to a host of issues.
"Scott [Helme] has attempted to discredit nomx by stating that is simply 'Postfix on a Pi'. That doesn't actually represent nomx – which provides a series of services and protocols that when used together resolve the vulnerabilities of the third party servers."
The number of nomx accounts that have been compromised since inception is nil, according to Donaldson.
Professor Woodward said the security questions around nomx raise a wider point about whether potential buyers can trust promises made by security vendors in general.
"My concern is that users may take much of what is claimed at face value – it is a classic example of how 'security' is unregulated and that the main group holding vendors to account are ethical hackers," he said. ®
*BBC Click is to air a special episode on the issue on Saturday 29 April on the iPlayer.