Researcher Alleges Email Security Appliance Contains Catalog of Errors

Technology which claims to be the “the world's most secure communications protocol” has been revealed to be powered by a Raspberry Pi, have vulnerable and unpatched software and self-certifies IP addresses.

The research conducted by consultant Scott Helme found that the NOMX device (whose website was offline at the time of writing) contained software that was mostly out of date, including:

  • Raspbian GNU/Linux 7 (wheezy) - last updated May 7 2015
  • nginx version: nginx/1.2.1 - released June 5 2012
  • PHP 5.4.45-0+deb7u5 - released September 3 2015
  • OpenSSL 1.0.1t - released May 3 2016
  • Dovecot 2.1.7 - released May 29 2012
  • Postfix 2.9.6 - released February 4 2013
  • MySQL Ver 14.14 Distrib 5.5.52 - released September 6 2016

Helme said: “It's interesting to see such outdated versions of software on there, if the device was built even remotely recently I'm not sure how you'd end up with such seriously old versions installed. I had a look for any auto-update mechanism that I could find, but couldn't see anything on there.”

The device also uses a Raspberry Pi as its motherboard, which Helme described as “an awesome little device,” but not what he expected to find “in the corner of a large box that claims to provide a completely secure and proprietary email protocol.”

While the website claimed that the technology retails from $199, NOMX are offering a $10,000 bug bounty on a page that Helme believed was not intended to be public yet.

In terms of the setup process, Helme found further problems regarding finding passwords, with him having to access the source code in order to get the setup password, and add a domain – where domains offered by GoDaddy are accepted. He was also asked to open ports 26, 465, 587, 993 and 995, but not the standard SMTP port 25, which would require him to send and receive email.

However, Helme said that his email software “threw up some warnings telling me that the email server needs a security exception” and emails sent to a webmail accounts were being returned. “This really isn't good unless you plan on constantly chasing your IP off blacklists or frequently changing your IP address to avoid it being blacklisted too widely”, he added.

Speaking to Infosecurity Professor Alan Woodward from the University of Surrey, who worked with Helme on the research, said that this was a case of poor quality products being created and sold, with no one checking these but the ethical hackers due to a lack of regulation. “This is the sort of technology that without knowledge you could fall for and where people like this should be held to account”, he said.

On one feature, which was described as the ability “to send to other NOMX users who have secure accounts on their NOMX PES, you will need to create, what we call, a handshake between your NOMX device and the other NOMX device”. This is enabled by entering the Public IP of the other NOMX device, and the email address or domain (if entire domain is hosted on other NOMX device).

To test this ‘handshake’, Helme set up two NOMX devices, closed port 26 and the email send failed. Helme claimed that if it is sending to port 26, this is “absolutely no benefit whatsoever”.

Woodward said that if email is sent on port 26 and only uses TLS level encryption, it is secure but only to an extent, as the TLS is self-certified. Also if the other box’s IP address changes, you will not know who you are ‘handshaking’ with.

Asked if he felt that this was just one example of many badly built devices purporting to offer security, Woodward said that he feared it was, as in this example it uses “old, open source code as software and doesn’t test the security and we found security holes with no way to update it”. 

Elsewhere, Helme claimed that the NOMX web application was vulnerable to cross-site scripting and cross-site request forgery. He confirmed that he had originally reported the issue in mid-March, where NOMX said it “started to update/upgrade/replace any NOMX devices which may have been affected by this issue” and “to date, there have been ZERO devices affected by this issue".

“It would be very easy to conclude that this is a scam,” Helme said. “The device is running standard mail server software running on a Raspberry Pi, most of which is outdated. They have presented at countless tech shows and can be constantly found making bold statements of 'absolute security' yet didn't pick up a CSRF vulnerability in their web interface.”

He also claimed that as of 26 April, he did not have shipping confirmation of a new device, despite providing my address, or a copy of the notification sent to customers about the issue. There has also been no notice on their website or social media about the update/recall/replacement and Helme’s device has not received any updates and is still vulnerable.

Infosecurity reached out nomx for a response to this research, and CEO and CTO Will Donaldson responded, claiming the primary goal of nomx (short for no Mail eXchange) is to keep “messages off vulnerable third party servers” by forcing emails to go through certain routes on the internet, instead of using traditional email relays that copy these messages and are vulnerable to a host of issues.

Donaldson said: “Scott has attempted to discredit nomx by stating that is simply ‘Postfix on a Pi’. That doesn't actually represent nomx – which provides a series of services and protocols that when used together resolve the vulnerabilities of the third party servers.”

He explained that nomx was originally run on a Raspberry Pi (which is no longer being offered), and the final production model will be run on an Atmel SAMA5D chip family. This early version was what Helme had, he claimed, while the website to set up the nomx was used to test email delivery, while the CSRF issue has been resolved “with any of our users who could have been affected and [we] no longer provide that version of nomx”.

Donaldson went on to claim that he and Helme had conversed and that he had “subsequently released a few incorrect and false statements about our communicating with him, or lack thereof”. Despite this, nomx plan to send Helme a new device to test in a neutral environment.

“When he fails to do so, then we have easily shown that his rhetoric is just that,” he said. “If he fails to perform or questions the legitimacy of our tests then we can all see Helme was simply showing off his hacking skills after he had rooted a device that he owned.”

Helme told Infosecurity that the offer to test the updated technology was news to him, and "he has assured me and the BBC separately that this is production ready".

Donaldson confirmed that the Raspberry PI versions are not being offered anymore. "I had offered to provide Scott with new versions but he stated on 4 April that 'the matter was concluded' and as such we didn't proceed with Scott for any further mitigation or discussion until he started making claims as we've discussed."

In a statement to media, Donaldson said: "Scott, you have permission to access this nomx device, with the understanding that you must provide all the media you've contacted with the results and share them publicly. Since you've claimed that you can do this within minutes, it should not be a burden for you and I am sure the media would love to have your results for their stories.

"If you're unwilling or unable, that will speak volumes. If you can access this nomx device we'll publicly state that on our website. If you can't access this nomx device (i.e. create an email account or read the previously sent emails from this account, etc.) then you must publicly state that on your website.

"We're serious about our security and this is the quickest way to prove your allegations and claims. This device is not one which you've previously rooted, and you don't have physical access and possession of it like the one you did in your own home."

What’s Hot on Infosecurity Magazine?