Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Email Security Device “nomx” Has Serious Flaws: Researchers

Researchers claim to have found some serious vulnerabilities in “nomx,” a product designed for securing email communications. The vendor has disputed the findings and assured customers that its devices cannot be hacked remotely.

Nomx is a protocol and device that allegedly “ensures absolute privacy for personal and commercial email and messaging.”

Researchers claim to have found some serious vulnerabilities in “nomx,” a product designed for securing email communications. The vendor has disputed the findings and assured customers that its devices cannot be hacked remotely.

Nomx is a protocol and device that allegedly “ensures absolute privacy for personal and commercial email and messaging.”

British researchers Scott Helme and Professor Alan Woodward have been asked by the BBC to analyze the nomx personal email server appliance, which costs between $199 and $399, depending on its storage capacity. Their analysis revealed the existence of several security issues, including flaws that can be exploited remotely to hijack a device.

An inspection of nomx hardware components showed that the device had actually been powered by a Raspberry Pi, which made it easier for the experts to gain root access and analyze the software running on it.Nomx not as secure as vendor claims

In a post published on his personal blog, Helme said he found several pieces of outdated software running on the email security device, including Raspbian and PHP from 2015, OpenSSL and MySQL versions from 2016, a Postfix variant from 2013, and nginx and Dovecot from 2012.

According to Helme, the software running on the device does not do much in terms of securing email communications, and the expert said many major email service providers may actually block messages sent via nomx as they share some characteristics with spam.

An analysis of the nomx web interface revealed the existence of several cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities. Helme said the CSRF flaws can be exploited to create new administrator accounts (i.e. backdoors) and make configuration changes by getting a user to visit a specially crafted webpage.

The researcher said he also discovered a documented, default account that provides administrator access to the device. The main problem is that the documentation does not encourage users to change the password to this account and there is no mechanisms in place to force a password change after the first login.

Helme also reported that the device he had analyzed had no update mechanism that would allow users to patch the vulnerable software running on the appliance.

Advertisement. Scroll to continue reading.

Nomx disputes findings and says researchers made false claims

In a statement posted on its website, Nomx disputed the findings and accused the researchers of making false claims. The company said the attack methods detailed by Helme on his blog could not be carried out in a real world scenario.

Nomx pointed out that Helme’s attack involved physical access to the device. However, the researcher said he conducted hardware hacking in order to find out more about how the device works, but this phase of his research is not related to the attacks that can be launched remotely.

Nomx said only earlier versions of its product were based on a Raspberry Pi and claimed the analyzed devices were actually demo units. The firm also provided recommendations on how users can protect themselves against potential CSRF attacks.

“No nomx devices, accounts or data was ever compromised and the blogger could not show any evidence of such actions,” the company stated.

The vendor claims to have challenged Helme and others to hack its device in a real world scenario, but they allegedly failed to complete the task. On the other hand, the researcher denies taking part in this test.

Both the experts and the BBC said they stand by their reports and claimed that the devices they received for testing were described as production units, not early demo units.

Related: API Flaw Exposes Nissan LEAF Cars to Remote Attacks

Related: Hackers Can Exploit Roundcube Flaw by Sending an Email

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.