0:00:04 > 0:00:13Finally there is a box which is immune
0:00:14 > 0:00:49Over the last few years, billions of e-mail accounts
0:00:50 > 0:01:00Last year, Yahoo announced that over 1.5 billion e-mail accounts
0:01:01 > 0:01:02were compromised between 2013 and 2014, the largest
0:01:03 > 0:01:10Then it emerged that Russian hackers had gained access to 60,000 e-mails
0:01:11 > 0:01:14from Hillary Clinton's presidential campaign.
0:01:15 > 0:01:23Some believe the resulting leaks helped swing the election for Trump.
0:01:24 > 0:01:27is something most of us already knew,
0:01:28 > 0:01:30we send, each of us, all the time, hugely personal information
0:01:31 > 0:01:34Information that we'd like to keep private,
0:01:35 > 0:01:36but others are all too often able to see.
0:01:37 > 0:01:38So how about something that guarantees to protect
0:01:39 > 0:01:44Sounds like something you want to have, doesn't it?
0:01:45 > 0:01:46Well, this is Nomx, a box which promises
0:01:47 > 0:01:58It was at CES that we came across this device as it was introduced
0:01:59 > 0:02:03I met the boss, Will Donaldson, who has impressive security
0:02:04 > 0:02:08He's worked in computer security and worked on web applications
0:02:09 > 0:02:15for the Pentagon, the Marine Corps and he was Chief Technology Officer
0:02:16 > 0:02:17for the F35 joint strike fighter communications facility.
0:02:18 > 0:02:24So does he think is wrong with bog standard e-mail?
0:02:25 > 0:02:26Well, the Nomx promotional videos explain the problem.
0:02:27 > 0:02:29When you send an e-mail, copies of the message end up
0:02:30 > 0:02:33on several internet servers along the way.
0:02:34 > 0:02:36Will says all of the recent big e-mail hacks have involved one
0:02:37 > 0:02:38of these servers being compromised and what's more
0:02:39 > 0:02:45So those vulnerabilities, we have identified six core ones
0:02:46 > 0:02:51that encompass 100% of hacks that have occurred to date.
0:02:52 > 0:02:54Will's solution is a $199 box that acts as your own
0:02:55 > 0:03:02It'll talk to other e-mail services, but where it comes
0:03:03 > 0:03:06into its own is when it connects directly to another Nomx box
0:03:07 > 0:03:14at the other end, the pair of them replacing the cloud servers
0:03:15 > 0:03:17that your message would usually flow through.
0:03:18 > 0:03:18That means no copies are stored anywhere
0:03:19 > 0:03:28The idea has caught the imagination of some in the security industry,
0:03:29 > 0:03:31who've called it a "personal cloud on steroids" and Will himself has
0:03:32 > 0:03:35become a bit of a star, being interviewed on US national
0:03:36 > 0:03:43television and elsewhere in the media as a security guru.
0:03:44 > 0:03:46So what you're pitching here is that you can make a black
0:03:47 > 0:03:49box, that black box there, that is more secure
0:03:50 > 0:03:50than a multibillion dollar company's servers?
0:03:51 > 0:03:58It's been proved they're vulnerable, my question is to you is,
0:03:59 > 0:03:59you're not a multibillion dollar company.
0:04:00 > 0:04:00Not yet. Not yet.
0:04:01 > 0:04:03Why should I believe that your security is any better
0:04:04 > 0:04:06than theirs and why should I believe that there are no vulnerabilities
0:04:07 > 0:04:09that you have accidentally left in your box?
0:04:10 > 0:04:12What we've done is identify the categories of those
0:04:13 > 0:04:15vulnerabilities and all of the hacks have occurred have been
0:04:16 > 0:04:19By removing them from the equation, we have now negated them
0:04:20 > 0:04:24So the theory sounds a good one - avoid making multiple copies
0:04:25 > 0:04:28of your messages across potentially vulnerable servers on the internet.
0:04:29 > 0:04:31You just have to rely on the Nomx boxes themselves not
0:04:32 > 0:04:38You all know this man, Dan Simmons, one of Click's most experienced
0:04:39 > 0:04:40reporters and famously, if someone says something
0:04:41 > 0:04:42is unbreakable, you try and break it?
0:04:43 > 0:04:48Well look, on this programme we look at new things and we are as excited
0:04:49 > 0:04:54as anybody to see them, but sometimes just sometimes,
0:04:55 > 0:04:57something seems a little bit too good to be true and absolute
0:04:58 > 0:05:00security, I've never heard anyone in the cyber security industry
0:05:01 > 0:05:03promise that, but that is exactly what this company are doing.
0:05:04 > 0:05:07So to prove a point, you're going to try and hack this box?
0:05:08 > 0:05:11I think I've found somebody who may be able
0:05:12 > 0:05:18Scott Helm is one of the UK's most respected professional white hat
0:05:19 > 0:05:24He's helped discover some big security flaws in the past,
0:05:25 > 0:05:28including hacking home routers and electric cars.
0:05:29 > 0:05:35Scott's had the Nomx box in his hands for just a few minutes
0:05:36 > 0:05:40Hey, Scott. How's it going?
0:05:41 > 0:05:42How'd you get on? Good, yes.
0:05:43 > 0:05:46I have had a look over this device and I was quite surprised
0:05:47 > 0:05:51So when I flipped it over, we saw what we call the Mac address
0:05:52 > 0:05:54here, which is the device's unique identifier and these first three
0:05:55 > 0:05:56segments identify the manufacturer, that tells you who builds
0:05:57 > 0:06:00So I went away and I looked these up and they're actually registered
0:06:01 > 0:06:04to the Raspberry Pi Foundation that make the Raspberry Pi computer.
0:06:05 > 0:06:06That's the hobbyists' computer we've seen on Click.
0:06:07 > 0:06:08The credit-sized device. But Nomx is the manufacturer?
0:06:09 > 0:06:11So what I did, I went ahead and opened this up
0:06:12 > 0:06:20Is there is in fact a Raspberry Pi inside this, which is white
0:06:21 > 0:06:25There's nothing else they have done with this that we can see inside.
0:06:26 > 0:06:27That is just a standard ?35 Raspberry Pi.
0:06:28 > 0:06:33But what does that say to you when as a security guy
0:06:34 > 0:06:37I guess, there are further things to be found here that
0:06:38 > 0:06:42I've also asked Professor Alan Woodward, a well-known cyber
0:06:43 > 0:06:44security expert, who's advised the UK Government and Europol
0:06:45 > 0:06:48to take a look at the Nomx box to see how it works.
0:06:49 > 0:06:53Well, already through the set up process, there is a few things
0:06:54 > 0:06:58for a product that bills itself as being absolutely secure,
0:06:59 > 0:07:01there's a few things that we found that give rise for concern.
0:07:02 > 0:07:06And we certainly want to look a bit further into it.
0:07:07 > 0:07:09Just plugging it in has sent alarm bells ringing for Alan.
0:07:10 > 0:07:12The set up of the device is through a web application that
0:07:13 > 0:07:21Now, that is a key port on his router he will need
0:07:22 > 0:07:23to communicate with popular e-mail servers like Gmail
0:07:24 > 0:07:27It's never going to receive e-mail from an external service.
0:07:28 > 0:07:32Unless you know to go to your router and change port 25.
0:07:33 > 0:07:37No, it doesn't, the documentation doesn't have it in there.
0:07:38 > 0:07:40It tells you all these other ports, but not port 25.
0:07:41 > 0:07:44So you're having a quiet life for a few years to come receiving no
0:07:45 > 0:07:47Hotmail instantly knows that you're sending it
0:07:48 > 0:07:53It's what's called a dynamic address, because it changes.
0:07:54 > 0:07:57Every time you turn your router on you get a new one.
0:07:58 > 0:08:00It spots that and says, we don't accept e-mails
0:08:01 > 0:08:04Because they just assume nobody's going to be running an e-mail server
0:08:05 > 0:08:08So this box can't send an e-mail to Hotmail?
0:08:09 > 0:08:13To any Hotmail address? No.
0:08:14 > 0:08:17And if you try and send it to something like Gmail,
0:08:18 > 0:08:22then what happens is, because of things like the the way
0:08:23 > 0:08:24Hotmail spots it, as you will see there,
0:08:25 > 0:08:31Spam House, which is one of biggest spam filters,
0:08:32 > 0:08:38Now, to be fair, Nomx doesn't open port 25,
0:08:39 > 0:08:42But as we've seen, without 25 open, it's going to be
0:08:43 > 0:08:44difficult to hear from the rest of the world.
0:08:45 > 0:08:47Well, bearing in mind it has one job to do,
0:08:48 > 0:08:51which is be an e-mail server, that's a pretty poor show.
0:08:52 > 0:08:54And there were more surprises to come when Alan opened the box.
0:08:55 > 0:08:58One of the simplest machines to break into is a Raspberry Pi.
0:08:59 > 0:09:04Everything is on this one little card.
0:09:05 > 0:09:06It is on one of these tiny little cards.
0:09:07 > 0:09:11So all of your e-mails, all of your software,
0:09:12 > 0:09:14everything is running on one of these tiny little cards.
0:09:15 > 0:09:17Now, actually, if somebody did have physical access to this
0:09:18 > 0:09:20what they could do is they could whip that card out,
0:09:21 > 0:09:23copy it, put the card back in, put it all back together
0:09:24 > 0:09:26and you'd be none the wiser and they have got a copy
0:09:27 > 0:09:27of everything, including your e-mail.
0:09:28 > 0:09:31Because one of the things about this is it's not encrypted in any way
0:09:32 > 0:09:35This is not using any encryption? For storage, none at all.
0:09:36 > 0:09:38And what we did was, you said the simplest thing to do,
0:09:39 > 0:09:41because it is a complete Raspberry Pi, the simplest thing
0:09:42 > 0:09:45to do was actually plug it into a monitor and see what came up.
0:09:46 > 0:09:48HDMI cable. Here we go.
0:09:49 > 0:09:50The first concern would be if it is actually running
0:09:51 > 0:09:53Raspberry Pi as an operating system, which it is, it immediately tells
0:09:54 > 0:09:58Postfix is the mail transport agent, that is part of the mail server.
0:09:59 > 0:10:02It was just all totally standard stuff.
0:10:03 > 0:10:04So how old is the software on there at the moment?
0:10:05 > 0:10:06Well, that's another thing that we found,
0:10:07 > 0:10:12In that it's so old we couldn't actually get hold of some
0:10:13 > 0:10:15It's running Raspberry Pi's own operating system.
0:10:16 > 0:10:18It's a version called Wizi, which you can no longer download
0:10:19 > 0:10:22They have taken it off because they don't want people
0:10:23 > 0:10:28Likewise all this Postfixed admin, there is another another piece
0:10:29 > 0:10:31of software called Dovecot, all of which are free bits
0:10:32 > 0:10:34of software, but some of it dates back to 2009.
0:10:35 > 0:10:36It's inevitable that people will find bugs,
0:10:37 > 0:10:39flaws, in any bit of software and what people do is they release
0:10:40 > 0:10:52The problem with the way this is put together is there is no way
0:10:53 > 0:10:56There is a whole series of things about the way this is put together
0:10:57 > 0:10:58that make you think, absolute security is...
0:10:59 > 0:11:01A stretch I think is the best way to put it.
0:11:02 > 0:11:04Now, it is important to say at this point,
0:11:05 > 0:11:07there is nothing wrong with the hardware or the software
0:11:08 > 0:11:10that you're talking about per se, Raspberry Pi is fine,
0:11:11 > 0:11:12the software used, Postfix, Admin, is just a piece
0:11:13 > 0:11:17Yes, I mean the Raspberry Pi is a great bit of kit and Postfix,
0:11:18 > 0:11:20as in the other programmes we have looked at, they do the job,
0:11:21 > 0:11:22if you've got the latest versions of them.
0:11:23 > 0:11:29They're still selling this box right now as a finished product?
0:11:30 > 0:11:31It was being sold when you were testing it?
0:11:32 > 0:11:34Absolutely, and as we're filming it is today.
0:11:35 > 0:11:35OK, you've studied the box, what next?
0:11:36 > 0:11:38Well, surprise, surprise, Scott thinks he can hack it.
0:11:39 > 0:11:41So I thought, yeah, OK, fair enough, go ahead and we'll film it.
0:11:42 > 0:11:45So to start with, we decided to get a second box in,
0:11:46 > 0:11:48just to make sure this wasn't a prototype or there was anything
0:11:49 > 0:11:51dodgy with it and that came along in the post.
0:11:52 > 0:11:54Right, got a letter in the post from Nomx to say, Dear Dan,
0:11:55 > 0:11:58as per your request I have enclosed another device for you to use
0:11:59 > 0:12:04See what you make of it. Let's see.
0:12:05 > 0:12:13So, we appear to have some instructions in this one.
0:12:14 > 0:12:18Yes, the original device. They do appear, it appears the same.
0:12:19 > 0:12:22So that, if it is the same, it is not going to be a prototype.
0:12:23 > 0:12:26Yeah, so this is what we are looking for are the additional ones they're
0:12:27 > 0:12:30Looking at the Mac on the bottom, it appears to be a Raspberry Pi
0:12:31 > 0:12:34The hardware's identical, so Scott's using a programme called
0:12:35 > 0:12:36Meld to check if the software is the same too.
0:12:37 > 0:12:39It's showing us that they're virtually identical with a couple
0:12:40 > 0:12:42of minor changes that don't change the operation of the box.
0:12:43 > 0:12:45They're actually using the same user name and password on all devices,
0:12:46 > 0:12:50which is printed just there in the manual.
0:12:51 > 0:12:52So this is Admin and example.com and the password is "password".
0:12:53 > 0:12:56Obviously they do? No.
0:12:57 > 0:13:01It's not in the instructions and when I log into the device it
0:13:02 > 0:13:06So all these high security boxes have the same admin
0:13:07 > 0:13:11Yes. Which is password.
0:13:12 > 0:13:21You cannot have a weak password and a default password,
0:13:22 > 0:13:24and this is both, and leave it on the device.
0:13:25 > 0:13:27You should force the user to set their own password so that
0:13:28 > 0:13:30every device in the world has a unique password.
0:13:31 > 0:13:31Because otherwise, because we'relazy, aren't we?
0:13:32 > 0:13:34We would just leave that as password, because I'll remember it.
0:13:35 > 0:13:41You have one of these at home, it is just a normal router.
0:13:42 > 0:13:44This is 7F7F, a PIN on here that's unique to this device.
0:13:45 > 0:13:46Here's another device that I might plug in.
0:13:47 > 0:13:52You pick up one of these Nomx boxes, there is no PIN on here,
0:13:53 > 0:13:54apart from the security through the web server,
0:13:55 > 0:14:08And knowing that, has opened a door for Scott to deliver a package
0:14:09 > 0:14:11If users haven't changed their password, then Scott's
0:14:12 > 0:14:13malicious software will hand him control of their e-mails.
0:14:14 > 0:14:17So this the picture of the cat, there is the picture of Steve Jobs
0:14:18 > 0:14:21and those two things go in to this page.
0:14:22 > 0:14:24All he's got to do now is to persuade unsuspecting users
0:14:25 > 0:14:32Completely unrelated, I'm going to show you this funny
0:14:33 > 0:14:35Top ten funniest pictures of your pet.
0:14:36 > 0:14:39And what I'm going to do now is I'm going to go back to the Nomx device.
0:14:40 > 0:14:42And if I scroll down, how many e-mail addresses
0:14:43 > 0:14:50That one was placed there by the web-site with the pictures
0:14:51 > 0:14:54of cats and dogs on that we just looked at.
0:14:55 > 0:14:57But what this actually does is launch something called a
0:14:58 > 0:15:01Now when I visit this web-site, while I'm reading this article,
0:15:02 > 0:15:06I can do anything that I want on your Nomx device,
0:15:07 > 0:15:10We then went back and looked at these older versions
0:15:11 > 0:15:16of the software and this this is a fault that's been record
0:15:17 > 0:15:21So they have in fact not just Nomx, but everyone's known about this.
0:15:22 > 0:15:35Now, remember Nomx claim to have the world's most secure
0:15:36 > 0:15:37protocol, offering absolute security and they even take issue
0:15:38 > 0:15:40with with services like Gmail and Microsoft, saying everything
0:15:41 > 0:15:48But we've just discovered how to hack these boxes
0:15:49 > 0:15:55The things I found are in the OS top ten, they are and have been at one
0:15:56 > 0:15:58time the most common vulnerabilities found in the web.
0:15:59 > 0:16:03When you teach people how to develop web applications,
0:16:04 > 0:16:06you say, these are the things you need to check for and it's
0:16:07 > 0:16:09the top ten things you tell them to look for.
0:16:10 > 0:16:17Yeah, for a company that's making claims about absolute security,
0:16:18 > 0:16:21then they should have been aware of the the OS top ten and run that
0:16:22 > 0:16:32I can't see how they can patch it and protect their consumers.
0:16:33 > 0:16:38I can't see how they can look after the people that have been put
0:16:39 > 0:16:42at risk and currently are at risk and always have been at risk.
0:16:43 > 0:16:53I can't see how they can protect those people,
0:16:54 > 0:16:56other than telling them to unplug the device and stop using it.
0:16:57 > 0:17:00Now it's worth saying that users who had changed their admin password
0:17:01 > 0:17:02wouldn't have been quite as vulnerable to this attack.
0:17:03 > 0:17:05So Scott wanted to go further and found this key lying around
0:17:06 > 0:17:10in the code - an identical key on both Nomx boxes.
0:17:11 > 0:17:12These innocuous looking two lines are the master password
0:17:13 > 0:17:20It shouldn't be in full view when analysing the code on the box,
0:17:21 > 0:17:24Now, it looks like gobbledegook, because this is the master password
0:17:25 > 0:17:37Scott's got some - shall we say - resourceful friends,
0:17:38 > 0:17:41but the fact the master password is a five-letter word all in lower
0:17:42 > 0:17:56A simple dictionary attack took less than ten minutes to decode
0:17:57 > 0:17:58it, and now Scott has the keys to the castle.
0:17:59 > 0:18:01It doesn't matter now if users have changed their admin passwords
0:18:02 > 0:18:04from password, they just need to click on the kittens.
0:18:05 > 0:18:07You don't have to visit this malicious web-site on the machine
0:18:08 > 0:18:09that you're administering the box with.
0:18:10 > 0:18:12It just needs to be another machine that's on the the same network
0:18:13 > 0:18:15So your teenage daughter, for example, or anyone else,
0:18:16 > 0:18:25granny or whatever, could get this message,
0:18:26 > 0:18:28click on the cute furry kitten and it is kittens!
0:18:29 > 0:18:32One of the scary things is if I know your e-mail address,
0:18:33 > 0:18:35I can actually change the passwords for your e-mail address and then
0:18:36 > 0:18:37immediately log into your e-mail account, so I can effectively
0:18:38 > 0:18:40hijack your account and take full control of it.
0:18:41 > 0:18:45I can effectively almost wire-tap the device and see everything that
0:18:46 > 0:18:49Alerting a company quickly that they have a security problem
0:18:50 > 0:18:51is best practice for ethical hackers.
0:18:52 > 0:18:53So Scott sends an e-mail to warn Nomx its users
0:18:54 > 0:18:57Right, so it's not absolutely secure then?
0:18:58 > 0:19:07They say Scott's hack is a proof of concept.
0:19:08 > 0:19:13Well, Scott says it is a proof of concept.
0:19:14 > 0:19:15That's the only hole, they haven't actually
0:19:16 > 0:19:18The idea of ethical hacking, white hacking, is to tell
0:19:19 > 0:19:21the company first that they can do something about it.
0:19:22 > 0:19:25Scott's given them 30 days to sort this out,
0:19:26 > 0:19:28before he says he will publish the details of the hack.
0:19:29 > 0:19:31But Nomx has no way of updating its boxes,
0:19:32 > 0:19:33so how can it possibly patch this problem?
0:19:34 > 0:19:4130 days are up and Scott is ready to publish his findings.
0:19:42 > 0:19:44Nomx have told him that they have notified 100% of their users
0:19:45 > 0:19:48and updated or upgraded any devices that could be affected by the hack.
0:19:49 > 0:19:50I have two of the devices in my possession.
0:19:51 > 0:19:54Neither of which have been updated and I also can't find a way
0:19:55 > 0:20:03And in fairness, we have a box on Click, and we have not had any
0:20:04 > 0:20:05notification of any problem with the box either.
0:20:06 > 0:20:12Nomx also told Scott they have requested users not browse web-sites
0:20:13 > 0:20:21So you as a user are responsible for behaving in a particular way
0:20:22 > 0:20:25That's not really fair on the end user.
0:20:26 > 0:20:27To show good will, Scott held off publishing the attack
0:20:28 > 0:20:37We got in contact with Nomx to say, look, we are filming with Scott
0:20:38 > 0:20:40and we need some answers if you wouldn't mind.
0:20:41 > 0:20:43We gave them an opportunity to be interviewed.
0:20:44 > 0:20:51But they did send us some responses to some of our questions.
0:20:52 > 0:20:54One of which yesterday, the CO told me, Nomx security claims
0:20:55 > 0:20:57don't apply in you're home network has been breached.
0:20:58 > 0:21:00Now that's the kittens thing on the browser,
0:21:01 > 0:21:02if somebody clicks on that you're infected and basically
0:21:03 > 0:21:05Will Donaldson is saying that is nothing to do with us,
0:21:06 > 0:21:14Well, that's a bit like saying if everything else in your home
0:21:15 > 0:21:16is insecure, then we're insecure too.
0:21:17 > 0:21:24So the box doesn't add anything to the weakest link
0:21:25 > 0:21:27in your home, and that is I would say at odds
0:21:28 > 0:21:29with what they're saying on their web-site.
0:21:30 > 0:21:32Now, Will told me that no boxes have been compromised again.
0:21:33 > 0:21:36He said, well we've asked some of our users.
0:21:37 > 0:21:40And we have learned today that Will is removing the devices
0:21:41 > 0:21:43from his web-site and he won't be selling them any more,
0:21:44 > 0:21:46he won't be shipping them, in their current form,
0:21:47 > 0:21:51He is going to wait for a hardware upgrade and then start again.
0:21:52 > 0:21:55Although we have been on his web-site today and he looks
0:21:56 > 0:22:05Now, he also says that all the major e-mail providers have been hacked
0:22:06 > 0:22:07in the past and actually still Nomx hasn't.
0:22:08 > 0:22:15Alan, we don't know whether there are tens,
0:22:16 > 0:22:17hundreds or thousands of these boxes out there.
0:22:18 > 0:22:24But what does this tell us about the wider security industry?
0:22:25 > 0:22:27It raises that wider concern that anybody can make claims,
0:22:28 > 0:22:30they can put a product out there and make claims,
0:22:31 > 0:22:32even if they're really bold claims like this,
0:22:33 > 0:22:36absolute security, that nobody's checking it.
0:22:37 > 0:22:39There no is gold standard against which you can
0:22:40 > 0:22:50To be fair, do you think this idea of end-to-end
0:22:51 > 0:22:54Yes, you could make it work, but as is so often the case
0:22:55 > 0:22:57with security, the thing that really lets this down is the way
0:22:58 > 0:23:01So Scott, you are about to release details of your hack?
0:23:02 > 0:23:12And this is not anything special that Scott's doing for us.
0:23:13 > 0:23:14This is part of his ethical hacking procedure.
0:23:15 > 0:23:19Yeah, the company's told us that they have notified
0:23:20 > 0:23:28There is an update or replacement device available to fix this,
0:23:29 > 0:23:30so no users are at risk any more.
0:23:31 > 0:23:35I was kind of expecting a noise or something.
0:23:36 > 0:23:44What would you say to anyone who owns one of these Nomx boxes?
0:23:45 > 0:23:47If you have one, I would stop using it and repurpose the device.
0:23:48 > 0:24:03I would not use it or recommend using it.
0:24:04 > 0:24:05Scott, Alan, thank you for four time.
0:24:06 > 0:24:07My friend I'm sorry, you're out of here!
0:24:08 > 0:24:12Normal service is resumed next week and if you want more details,
0:24:13 > 0:24:16including a link to Scott's blog, then check us out on Twitter at BBC
0:24:17 > 0:24:19If you can't stay absolutely secure, then try and stay safe.
0:24:20 > 0:24:26Thanks for watching and we will see you soon.