Researchers claim to have found some serious vulnerabilities in “nomx,” a product designed for securing email communications. The vendor has disputed the findings and assured customers that its devices cannot be hacked remotely.
Nomx is a protocol and device that allegedly “ensures absolute privacy for personal and commercial email and messaging.”
British researchers Scott Helme and Professor Alan Woodward have been asked by the BBC to analyze the nomx personal email server appliance, which costs between $199 and $399, depending on its storage capacity. Their analysis revealed the existence of several security issues, including flaws that can be exploited remotely to hijack a device.
An inspection of nomx hardware components showed that the device had actually been powered by a Raspberry Pi, which made it easier for the experts to gain root access and analyze the software running on it.
In a post published on his personal blog, Helme said he found several pieces of outdated software running on the email security device, including Raspbian and PHP from 2015, OpenSSL and MySQL versions from 2016, a Postfix variant from 2013, and nginx and Dovecot from 2012.
According to Helme, the software running on the device does not do much in terms of securing email communications, and the expert said many major email service providers may actually block messages sent via nomx as they share some characteristics with spam.
An analysis of the nomx web interface revealed the existence of several cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities. Helme said the CSRF flaws can be exploited to create new administrator accounts (i.e. backdoors) and make configuration changes by getting a user to visit a specially crafted webpage.
The researcher said he also discovered a documented, default account that provides administrator access to the device. The main problem is that the documentation does not encourage users to change the password to this account and there is no mechanisms in place to force a password change after the first login.
Helme also reported that the device he had analyzed had no update mechanism that would allow users to patch the vulnerable software running on the appliance.
Nomx disputes findings and says researchers made false claims
In a statement posted on its website, Nomx disputed the findings and accused the researchers of making false claims. The company said the attack methods detailed by Helme on his blog could not be carried out in a real world scenario.
Nomx pointed out that Helme’s attack involved physical access to the device. However, the researcher said he conducted hardware hacking in order to find out more about how the device works, but this phase of his research is not related to the attacks that can be launched remotely.
Nomx said only earlier versions of its product were based on a Raspberry Pi and claimed the analyzed devices were actually demo units. The firm also provided recommendations on how users can protect themselves against potential CSRF attacks.
“No nomx devices, accounts or data was ever compromised and the blogger could not show any evidence of such actions,” the company stated.
The vendor claims to have challenged Helme and others to hack its device in a real world scenario, but they allegedly failed to complete the task. On the other hand, the researcher denies taking part in this test.
Both the experts and the BBC said they stand by their reports and claimed that the devices they received for testing were described as production units, not early demo units.