Researcher Finds Super Secure Email Service Nomx ‘Riddled’ With Security Flaws


Researcher Scott Helme was left “horrified” at Nomx’ level of security after analysing the device

A security researcher has managed to hack into an email service that claims to provide “absolute privacy for personal and commercial email and messaging” after finding it to be awash with vulnerabilities.

US-based startup Nomx prides itself on being the only truly secure email service and its website shouts “DID YOU KNOW THAT EVERY SINGLE MAJOR EMAIL PROVIDER HAS BEEN HACKED?”

However its claims appear to have been dis-proven by researcher Scott Helme, through a collaboration with BBC Click, as he managed to crack the device’s passwords and hack its hardware and software.


Fake news?

“The patent-pending nomx protocol provides secure, encrypted e-mail, messaging, audio and video communication services through a platform-agnostic protocol,” says Nomx, also claiming to use “the world’s most secure communications protocol” with the tagline “everything else is insecure”.

With these claims Helme says he was “more than happy to get involved in investigating the device”, quickly finding that it is essentially just a Raspberry Pi in a box which was running outdated software.

After downloading and examining the device’s core code, Helme was able to crack the setup password to create his own ‘superadmin’ account, take control of the device remotely through a web application vulnerability and found a host of other issues that left him “horrified” with Nomx’ level of security.

Furthermore, he found his IP was blacklisted by several other email providers and default passwords provided included “death” and “password” with no prompting to change the password to something more secure during the setup process.

“Everything seems pretty darn standard for ‘the world’s most secure communications protocol'”, he writes, adding that “the code is riddled with bad examples of how to do things” and “it’s running hideously outdated software and there appears to be no mechanism to update it at all.”

Nomx has disputed the research on its website, claiming the devices running Raspberry Pi were just built for demonstration and media use and that Helme’s tests were unrealistic and posed no threat to users.

Are you a security pro? Try our quiz!