The creator of the nomx “secure email server” has rejected claims by two well-known British security experts that his device is not secure and that his product design is based on a false premise.
Willie Donaldson, founder, CEO and CTO of nomx LLC, says that nomx is designed to keep messages off vulnerable third-party servers. He claims that email providers such as Yahoo, Hotmail, Gmail and others cannot be trusted.
In a video on the company website, he claims that emails copied and stored on email servers are inherently insecure, pointing to millions of cases of account hacking against many of the major email providers.
“We do that by forcing emails to go through certain routes on the Internet instead of using traditional email relays that copy these messages and are vulnerable to a host of issues,” he told SC Media UK in an email.
The company has invested heavily in marketing the product. It has appeared at the Consumer Electronics Show (CES), PEPCOM, Internet of Things World and the ISC West exhibition. Donaldson has also made numerous appearances on US TV and been quoted extensively in the media including once in SC Media UK's sister publication in the US
Donaldson applied for a patent for a “secure dynamic address resolution and communication system” last year.
Professor Alan Woodward at the University of Surrey department of computing was asked by the BBC Click television programme to investigate the nomx device to test its security claims. He said the BBC had been considering featuring the device on Click as an example of innovative security technology after seeing the product at CES.
Woodward became sceptical of the claims being made for the device and enlisted the help of security researcher Scott Helme to look into it in more depth. Using a device that the BBC had obtained from nomx, Helme began an investigation which he details in-depth on his blog.
Woodward and Helme both rejected Donaldson's assertion that email service providers such as Hotmail and Gmail are inherently insecure, pointing out that they are regular users of these services themselves.
In an interview with SC Media UK yesterday, Woodward and Helme described how they discovered that:
The device that retails for US$199 to US$399 (£155 to £310) was built on a Raspberry Pi running an out of date operating system and out of date software.
It ships with a preset user (‘admin') and password (‘password') and the user is not prompted or required to change it at any stage.
There is a hardcoded superadmin account – password: ‘death'.
The device requires you to use domains that are registered with GoDaddy and to input your GoDaddy API key and API secret. This allows the device to use GoDaddy for dynamic DNS.
It needs port 25 to be opened on your router but this isn't included in the list of five ports it tells you to open.
It asks you to open port 26 which Donaldson claims is to bypass ISPs who block port 25.
Its primary feature – secure device-to-device communications – is based on Postfix, described by Wikipedia as a free and open-source mail transfer agent (MTA) that routes and delivers electronic mail, intended as an alternative to Sendmail MTA.
The researchers have been working closely with the BBC ever since, with the aim of producing a segment for BBC Click that focuses on responsible disclosure and the role of whitehat hackers in policing cyber-security standards. The programme is scheduled to be broadcast on Saturday 29 April.
Woodward told SC that he became suspicious of the device because of its extraordinary marketing messages including the claim that it ensures “complete communication privacy”. It also uses the marketing strapline, “Everything else is insecure”.
Helme said his suspicions were raised as soon as he saw the MAC address on the back of the device which made it clear that it was running on a Raspberry Pi.
The researchers said that initially they had been expecting to have to deal with some sophisticated cryptography, but after delving into the PHP code on the device it became apparent that it was using weak encryption.
Helme said it took them several tries just to get the device to work as an email server, and that even when they got it working, by opening port 25, which was not listed in the instructions, they still faced two more problems.
Firstly, the self-signed security certificate wasn't accepted by Helme's email client, Thunderbird, and he had to authorise a security exception to make it work.
Then as soon as they tried to send email from Helme's broadband connection, the IP address was blacklisted by Spamhaus within seconds and it was blocked by the recipient's email provider.
Donaldson told SC in an email that he is no longer using the Raspberry Pi, that this was a development model which has now been replaced by a more secure device. He insists that the security certificate works, and that to send email, customers need to use their internet service provider's email relay.
The main selling feature of nomx is secure device-to-device communication. Two people, each in possession of a nomx box, are able to communicate securely by sending messages directly to each other, bypassing third-party email providers, Donaldson said.
Woodward said: “As a concept, I think one box talking securely to another box to known IPs, across the internet, with encryption across it, is fine. I don't agree there's a need for this, but the concept could work. But he's done it using cheap, free bits and pieces.”
Helme added that in his view the software was the main source of the insecurity of the system which meant that no matter what hardware it was run on, it would still be deficient.
He has come up with three different cross-site request forgery (CSRF) attacks to leverage the vulnerabilities he found in the device.
The second attack assumes that the user is not logged into the admin console but hasn't changed the default admin password. In which case, two forms are used, the first which logs the attacker into the nomx device and the second which performs the attack above.
The third attack exploits the fact that the device has a hardcoded superadmin user. Targeting the setup.php page on the nomx device, an attacker uses a hidden form to login and create another admin account. The nomx software doesn't provide the user with a list of these accounts so the attack is effectively invisible to the owner of the device.
Helme said that this attack can be launched against a device if anyone on the same LAN visits the boobytrapped page.
Discovering the hard-coded superadmin password was perhaps the hardest part of Helme's job. It was hashed but as Woodward described it, the hash was very weak. Firstly, it used SHA1 which “is broken” and has been deprecated. And the random number generated as part of the hashing algorithm wasn't random.
Helme put the hash on Twitter to ask for help in breaking it and within minutes someone had replied to say it was “death”.
Donaldson replied: “If someone jailbreaks or roots the device they can get passwords, including admin passwords. But the device must be in hand for that to occur. And we've setup the firewalls that prevent admin access unless you are on the same network/LAN.”
SC asked for clarification on this point, asking whether a blackhat hacker wouldn't be able to root the device as well and get the superadmin password. We haven't had a response to this question.
Woodward and Helme won't be drawn on Donaldson's motives, but Woodward said that this case raises fundamental questions about how to ensure that internet-connected devices in general are secure.
“These products are unregulated,” Woodward said. “People can make whatever claim they like, and I'm really worried that people are going to put their faith in these things and they are going to be compromised. It's the security community who are the only ones holding them to account. So when we find something like this, which is a prime example of someone making the boldest of claims with the least justification, that's when we really need to say something loud.”
In the absence of certififed testing labs, working to internationally recognised standards, it's up to whitehat hackers to test products and publish the results for public scrutiny. Peer review, he said, is the only way to ensure that products are secure, and the best developers have recognised this and put their products out for public review.
In an email statement to SC, Donaldson said:
“Scott [Helme] had been given a nomx device that he rooted and he's found some artifact development code and an account we used to test email deliver (using a valid Comcast account) and other administrative details that simply can't affect any users' data. He was able to do so because he had the device in hand, and rooted it, similar to jailbreaking an iPhone. That model was indeed based on a Raspberry Pi and we did a limited production of those last year.
“The CSRF vulnerability he disclosed, if present on any nomx device, could potentially have allowed access if the users were on the management page of the nomx device and visited a hacked page or malware site. With routine email use, it did not have any relevance and could not occur unless the management page was accessed while simultaneously going to a third party website.
“We've resolved that issue with any of our users who could have been affected and no longer provide that version of nomx. So the vulnerability did not actually affect any of our clients and could not occur in the future. In fact, we're no longer shipping and nomx with any form of Raspberry as a chip.
“When initially informed of this vulnerability, Scott and I had a lengthy Skype call and 42 emails to discuss this issue. I thanked him and Professor Woodward as well.
“After many emails back and forth, once Scott emailed me and said he considered the matter resolved, we didn't keep him informed of our security and mitigation procedures. Apparently he must have felt slighted, and the subsequently released a few incorrect and false statements about our communicating with him, or lack thereof.”
This morning, SC received another email from Donaldson, using the email address firstname.lastname@example.org, inviting Helme and Woodward to attack a new nomx box he had set up under this new domain.
The industry is already commenting on this story:
Professor Alan Woodward has responded to Donaldson's challenge to hack his new email domain, rejecting the challenge on the grounds that Donaldson is trying to dictate the environment in which they conduct the test.
Woodward told SC via DM on Twitter: "I'm afraid this latest response is typical of the behaviour we've seen throughout this process. Will [Donaldson] is attempting to set up a scenario where he can set the rules such that it favours his message. Our work is subject to peer review by virtue of having been published publicly, accompanied by the code, such that anyone with the requisite knowledge can check what we're saying. If another security [researcher] disagrees with our findings we would be the fist to want ot know that. However, no one that has so far looked at our findings has yet made nay such comment, nor do we expect there to be.
"It is notable that nomx have only very recently (since we talked to you) stated that they are no longer shipping devices such as the one we analysed. I would point out that both we and the BBC asked a very specific question at the outset: is this a pre-production of prototype version? The answer was a clear no. Furthermore, we were sent two boxes which we forensically checked and confirmed that they were identical in all material respects.
"As of this morning you can still order a nomx box and judging from the options it appears to be the same. If he is no shipping an alternative device perhaps he might acre to ship us one today and we will gladly see if it fixes the vulnerabilities we have identified.
"Our work (along with the data) is available for peer review, which we very much welcome. The only feedback we have had is that our colleagues have come up with other ways in which the box could be exploited.
"We are happy to analyse his box under laboratory conditions but not in some scenario where he controls how we can operate.
"In the past some media outlets have taken what nomx have said at face value - it is plausible and with the credentials they claim it is very easy to assume all is well. However, as we discussed, I strongly believe we all need to look behind the claims and look at the substance. I believe our work does that in this case."