A security researcher has managed to hack into an email service that claims to provide “absolute privacy for personal and commercial email and messaging” after finding it to be awash with vulnerabilities.
US-based startup Nomx prides itself on being the only truly secure email service and its website shouts “DID YOU KNOW THAT EVERY SINGLE MAJOR EMAIL PROVIDER HAS BEEN HACKED?”
However its claims appear to have been dis-proven by researcher Scott Helme, through a collaboration with BBC Click, as he managed to crack the device’s passwords and hack its hardware and software.
“The patent-pending nomx protocol provides secure, encrypted e-mail, messaging, audio and video communication services through a platform-agnostic protocol,” says Nomx, also claiming to use “the world’s most secure communications protocol” with the tagline “everything else is insecure”.
With these claims Helme says he was “more than happy to get involved in investigating the device”, quickly finding that it is essentially just a Raspberry Pi in a box which was running outdated software.
After downloading and examining the device’s core code, Helme was able to crack the setup password to create his own ‘superadmin’ account, take control of the device remotely through a web application vulnerability and found a host of other issues that left him “horrified” with Nomx’ level of security.
Furthermore, he found his IP was blacklisted by several other email providers and default passwords provided included “death” and “password” with no prompting to change the password to something more secure during the setup process.
“Everything seems pretty darn standard for ‘the world’s most secure communications protocol'”, he writes, adding that “the code is riddled with bad examples of how to do things” and “it’s running hideously outdated software and there appears to be no mechanism to update it at all.”
Nomx has disputed the research on its website, claiming the devices running Raspberry Pi were just built for demonstration and media use and that Helme’s tests were unrealistic and posed no threat to users.
Are you a security pro? Try our quiz!
Thoma Bravo agrees to acquire Darktrace for $5.32 billion in cash, delivering some welcome news…
Customer adoption of AI services embedded in cloud services continues to deliver results for Microsoft,…
TikTok's 'secret source' algorithm is so core to ByteDance, it would rather shut down US…
After relocating from California to Texas in 2020, Oracle's Larry Ellison now reveals plan to…
Share price hit after Meta admits heavy AI spending plans, after posting strong first quarter…
For third time Google delays phase-out of third-party Chrome cookies after pushback from industry and…