A security researcher has managed to hack into an email service that claims to provide “absolute privacy for personal and commercial email and messaging” after finding it to be awash with vulnerabilities.
US-based startup Nomx prides itself on being the only truly secure email service and its website shouts “DID YOU KNOW THAT EVERY SINGLE MAJOR EMAIL PROVIDER HAS BEEN HACKED?”
However its claims appear to have been dis-proven by researcher Scott Helme, through a collaboration with BBC Click, as he managed to crack the device’s passwords and hack its hardware and software.
“The patent-pending nomx protocol provides secure, encrypted e-mail, messaging, audio and video communication services through a platform-agnostic protocol,” says Nomx, also claiming to use “the world’s most secure communications protocol” with the tagline “everything else is insecure”.
With these claims Helme says he was “more than happy to get involved in investigating the device”, quickly finding that it is essentially just a Raspberry Pi in a box which was running outdated software.
After downloading and examining the device’s core code, Helme was able to crack the setup password to create his own ‘superadmin’ account, take control of the device remotely through a web application vulnerability and found a host of other issues that left him “horrified” with Nomx’ level of security.
Furthermore, he found his IP was blacklisted by several other email providers and default passwords provided included “death” and “password” with no prompting to change the password to something more secure during the setup process.
“Everything seems pretty darn standard for ‘the world’s most secure communications protocol'”, he writes, adding that “the code is riddled with bad examples of how to do things” and “it’s running hideously outdated software and there appears to be no mechanism to update it at all.”
Nomx has disputed the research on its website, claiming the devices running Raspberry Pi were just built for demonstration and media use and that Helme’s tests were unrealistic and posed no threat to users.
Are you a security pro? Try our quiz!
Workforce blow. Newly privatised Toshiba has embarked on a 'revitalisation plan' that will entail the…
European Commission opens an official child safety investigation into Facebook and Instagram-owner Meta Platforms
Hundreds of AI and cloud engineers are being offered relocation out of China by Microsoft,…
Workers at unionised Apple store in Maryland vote to authorise first ever strike, after delays…
Elon Musk loses bid to avoid court order to force him to testify in SEC…
Explore how cutting-edge technologies are reshaping decision-making, driving innovation, and propelling businesses into the data-driven…
