:00:00. > :00:33.Over the last few years, billions of e-mail accounts
:00:34. > :00:41.Last year, Yahoo announced that over 1.5 billion e-mail accounts
:00:42. > :00:43.were compromised between 2013 and 2014, the largest
:00:44. > :00:52.Then it emerged that Russian hackers had gained access to 60,000 e-mails
:00:53. > :00:56.from Hillary Clinton's presidential campaign.
:00:57. > :00:59.Some believe the resulting leaks helped swing the election for Trump.
:01:00. > :01:07.is something most of us already knew.
:01:08. > :01:10.We send, each of us, all the time, hugely personal information
:01:11. > :01:14.Information that we'd like to keep private,
:01:15. > :01:18.but others are all too often able to see.
:01:19. > :01:21.So how about something that guarantees to protect
:01:22. > :01:27.Sounds like something you wanna have, doesn't it?
:01:28. > :01:29.Well, this is Nomx, a box which promises
:01:30. > :01:40.It was at CES that we came across this device as it was introduced
:01:41. > :01:45.I met the boss, Will Donaldson, who has impressive security
:01:46. > :01:49.He's worked in computer security and built web applications
:01:50. > :01:53.for the Pentagon, the Marine Corps and he was Chief Technology Officer
:01:54. > :02:04.for the F35 joint strike fighter communications facility.
:02:05. > :02:08.So what does he think is wrong with bog standard e-mail?
:02:09. > :02:09.Well, the Nomx promotional videos explain the problem.
:02:10. > :02:13.When you send an e-mail, copies of the message end up
:02:14. > :02:14.on several internet servers along the way.
:02:15. > :02:18.Will says all of the recent big e-mail hacks have involved one
:02:19. > :02:20.of these servers being compromised and what's more
:02:21. > :02:28.So those vulnerabilities, we've identified six core ones
:02:29. > :02:32.that encompass 100% of hacks that have occurred to date.
:02:33. > :02:35.Will's solution is a $199 box that acts as your own
:02:36. > :02:43.It'll talk to other e-mail services, but where it comes
:02:44. > :02:47.into its own is when it connects directly to another Nomx box
:02:48. > :02:50.at the other end, the pair of them replacing the cloud servers
:02:51. > :02:54.that your message would usually flow through.
:02:55. > :02:55.That means no copies are stored anywhere
:02:56. > :03:06.The idea has caught the imagination of some in the security industry,
:03:07. > :03:11.who've called it a "personal cloud on steroids" and Will himself has
:03:12. > :03:14.become a bit of a star, being interviewed on US national
:03:15. > :03:19.television and elsewhere in the media as a security guru.
:03:20. > :03:22.So what you're pitching here is that you can make a black
:03:23. > :03:25.box, that black box there, that is more secure
:03:26. > :03:26.than a multibillion dollar company's servers?
:03:27. > :03:35.It's been proved they're vulnerable, my question is to you is,
:03:36. > :03:37.you're not a multibillion dollar company.
:03:38. > :03:39.Not yet. Not yet.
:03:40. > :03:43.Why should I believe that your security is any better
:03:44. > :03:47.than theirs and why should I believe that there are no vulnerabilities
:03:48. > :03:49.that you have accidentally left in your box?
:03:50. > :03:51.What we've done is identify the categories of those
:03:52. > :03:54.vulnerabilities and all of the hacks have occurred have been
:03:55. > :04:01.By removing them from the equation, we've now negated them
:04:02. > :04:05.So the theory sounds a good one, avoid making multiple copies
:04:06. > :04:08.of your messages across potentially vulnerable servers on the internet.
:04:09. > :04:11.You just have to rely on the Nomx boxes themselves not
:04:12. > :04:19.You all know this man, Dan Simmons, one of Click's most experienced
:04:20. > :04:21.reporters and famously, if someone says something
:04:22. > :04:23.is unbreakable, you try and break it?
:04:24. > :04:27.Well look, often on this programme we look at new things
:04:28. > :04:34.as anybody else to see them, but sometimes just sometimes,
:04:35. > :04:37.something seems a little bit too good to be true and absolute
:04:38. > :04:39.security, I've never heard anyone in the cyber security industry
:04:40. > :04:42.promise that, but that's exactly what this company are doing.
:04:43. > :04:49.So to prove a point, you're going to try and hack this box?
:04:50. > :04:52.I think I've found somebody who may be able
:04:53. > :04:57.Scott Helm is one of the UK's most respected professional white hat
:04:58. > :05:05.He's helped discover some big security flaws in the past,
:05:06. > :05:07.including hacking home routers and electric cars.
:05:08. > :05:11.Scott's had the Nomx box in his hands for just a few minutes
:05:12. > :05:19.Hey, Scott. How's it going?
:05:20. > :05:21.How'd you get on? Good, yeah.
:05:22. > :05:24.I've had a look over this device and I was quite surprised
:05:25. > :05:29.So when I flipped it over, we saw what we call the Mac address
:05:30. > :05:32.here, which is the device's unique identifier and these first three
:05:33. > :05:35.segments identify the manufacturer, that tells you who builds
:05:36. > :05:40.So I went away and I looked these up and they're actually registered
:05:41. > :05:43.to the Raspberry Pi Foundation that make the Raspberry Pi computer.
:05:44. > :05:45.That's the hobbyists' computer we've seen on Click.
:05:46. > :05:50.But Nomx is the manufacturer, right? Yeah.
:05:51. > :05:53.So what I did, I went ahead and opened this up
:05:54. > :05:59.Is there is in fact a Raspberry Pi inside this, which is white
:06:00. > :06:05.There's nothing else they've done with this that we can see inside.
:06:06. > :06:07.That is just a standard ?35 Raspberry Pi.
:06:08. > :06:11.But what does that say to you when as a security guy
:06:12. > :06:15.I guess, there are further things to be found here that
:06:16. > :06:22.I've also asked Professor Alan Woodward, a well-known cyber
:06:23. > :06:25.security expert, who's advised the UK Government and Europol
:06:26. > :06:29.to take a look at the Nomx box to see how it works.
:06:30. > :06:33.Well, already through the set-up process, there's a few things
:06:34. > :06:37.for a product that bills itself as being absolutely secure,
:06:38. > :06:41.there's a few things that we found that give rise for concern.
:06:42. > :06:44.And we certainly want to look a bit further into it.
:06:45. > :06:50.Just plugging it in has sent alarm bells ringing for Alan.
:06:51. > :06:53.The set up of the device is through a web application that
:06:54. > :06:58.It doesn't ask Alan to open up port 25.
:06:59. > :07:01.Now, that's a key port on his router he will need
:07:02. > :07:03.to communicate with popular e-mail servers like Gmail
:07:04. > :07:09.It's never going to receive e-mail from an external service.
:07:10. > :07:14.Unless you know to go to your router and change port 25.
:07:15. > :07:18.No, it doesn't, the documentation doesn't have it in there.
:07:19. > :07:21.It tells you all these other ports, but not port 25.
:07:22. > :07:25.So you're having a quiet life for a few years to come receiving no
:07:26. > :07:29.Hotmail instantly knows that you're sending it
:07:30. > :07:34.It's what's called a dynamic address, because it changes.
:07:35. > :07:39.Every time you turn your router on you get a new one.
:07:40. > :07:41.It spots that and says, we don't accept e-mails
:07:42. > :07:46.Because they just assume nobody's going to be running an e-mail server
:07:47. > :07:50.So this box can't send an e-mail to Hotmail?
:07:51. > :07:52.To any Hotmail address? No.
:07:53. > :07:57.And if you try and send it to something like Gmail,
:07:58. > :08:02.then what happens is, because of things like the way
:08:03. > :08:04.Hotmail spots it, as you'll see there,
:08:05. > :08:10.Spam House, which is one of biggest spam filters,
:08:11. > :08:17.Now, to be fair, Nomx doesn't open port 25,
:08:18. > :08:22.But as we've seen, without 25 open, it's going to be
:08:23. > :08:25.difficult to hear from the rest of the world.
:08:26. > :08:27.Well, bearing in mind it's got one job to do,
:08:28. > :08:31.which is to be an e-mail server, that's a pretty poor show.
:08:32. > :08:35.And there were more surprises to come when Alan opened the box.
:08:36. > :08:39.One of the simplest machines to break into is a Raspberry Pi.
:08:40. > :08:42.Everything is on this one little card.
:08:43. > :08:45.It's on one of these tiny little cards.
:08:46. > :08:47.So all of your e-mails, all of your software,
:08:48. > :08:50.everything is running on one of these tiny little cards.
:08:51. > :08:53.Now, actually, if somebody did have physical access to this
:08:54. > :08:56.what they could do is they could whip that card out,
:08:57. > :08:59.copy it, put the card back in, put it all back together
:09:00. > :09:02.and you'd be none the wiser and they've got a copy
:09:03. > :09:03.of everything, including your e-mail.
:09:04. > :09:07.Because one of the things about this is it's not encrypted in any way
:09:08. > :09:11.This is not using any encryption? For storage, none at all.
:09:12. > :09:14.And what we did was, you said the simplest thing to do,
:09:15. > :09:17.because it is a complete Raspberry Pi, the simplest thing
:09:18. > :09:21.to do was actually plug it into a monitor and see what came up.
:09:22. > :09:23.So this is an HDMI. HDMI cable.
:09:24. > :09:26.The first concern would be if it is actually running
:09:27. > :09:30.Raspberry Pi as an operating system, which it is, it immediately tells
:09:31. > :09:40.Postfix is the mail transport agent, that's part of the mail server.
:09:41. > :09:43.It was just all totally standard stuff.
:09:44. > :09:46.So how old is the software on there at the moment?
:09:47. > :09:48.Well, that's another thing that we found,
:09:49. > :09:55.In that it's so old we couldn't actually get hold of some
:09:56. > :09:59.It's running Raspberry Pi's own operating system.
:10:00. > :10:02.It's a version called Wizi, which you can no longer download
:10:03. > :10:06.They've taken it off because they don't want people
:10:07. > :10:10.Likewise all this Postfix admin, there is another another piece
:10:11. > :10:12.of software called Dovecot, all of which are free bits
:10:13. > :10:16.of software, but some of it dates back to 2009.
:10:17. > :10:19.It's inevitable that people will find bugs,
:10:20. > :10:22.flaws, in any bit of software and what people do is they release
:10:23. > :10:28.The problem with the way this is put together is there is no way
:10:29. > :10:33.There is a whole series of things about the way this is put together
:10:34. > :10:35.that make you think, absolute security is...
:10:36. > :10:40.Now, it's important to say at this point,
:10:41. > :10:42.there's nothing wrong with the hardware or the software
:10:43. > :10:45.that you're talking about per se, Raspberry Pi is fine,
:10:46. > :10:48.the software used, Postfix, Admin, is just a piece
:10:49. > :10:55.Yeah, I mean, the Raspberry Pi is a great bit of hobbyist kit
:10:56. > :10:59.as in the other programmes we have looked at, they do the job,
:11:00. > :11:02.if you've got the latest versions of them.
:11:03. > :11:08.They're still selling this box right now as a finished product?
:11:09. > :11:11.It was being sold when you were testing it?
:11:12. > :11:13.Absolutely, and as we're filming it is today.
:11:14. > :11:15.OK, you've studied the box, what next?
:11:16. > :11:20.Well, surprise, surprise, Scott thinks he can hack it.
:11:21. > :11:26.I'm afraid because this is the short version of Click, we're going to
:11:27. > :11:30.have to leave the story they're. If you want to know more details about
:11:31. > :11:33.the hack and if you'd like to hear from Allen and Scott about what
:11:34. > :11:37.happens after you hack a box like this you're going to have to watch
:11:38. > :11:45.the full version, which is on iPlayer right now. Follow follow us
:11:46. > :11:46.on Twitter too @BBCclick. Thanks for watching and we'll see you soon.