29/04/2017 Click


29/04/2017

Click investigates a company claiming to offer 'absolute security' and discovers all is not what it seems.


Similar Content

Browse content similar to 29/04/2017. Check below for episodes and series from the same categories and more!

Transcript


LineFromTo

Finally there is a box which is immune

0:00:040:00:13

Over the last few years, billions of e-mail accounts

0:00:140:00:49

Last year, Yahoo announced that over 1.5 billion e-mail accounts

0:00:500:01:00

were compromised between 2013 and 2014, the largest

0:01:010:01:02

Then it emerged that Russian hackers had gained access to 60,000 e-mails

0:01:030:01:10

from Hillary Clinton's presidential campaign.

0:01:110:01:14

Some believe the resulting leaks helped swing the election for Trump.

0:01:150:01:23

is something most of us already knew,

0:01:240:01:27

we send, each of us, all the time, hugely personal information

0:01:280:01:30

Information that we'd like to keep private,

0:01:310:01:34

but others are all too often able to see.

0:01:350:01:36

So how about something that guarantees to protect

0:01:370:01:38

Sounds like something you want to have, doesn't it?

0:01:390:01:44

Well, this is Nomx, a box which promises

0:01:450:01:46

It was at CES that we came across this device as it was introduced

0:01:470:01:58

I met the boss, Will Donaldson, who has impressive security

0:01:590:02:03

He's worked in computer security and worked on web applications

0:02:040:02:08

for the Pentagon, the Marine Corps and he was Chief Technology Officer

0:02:090:02:15

for the F35 joint strike fighter communications facility.

0:02:160:02:17

So does he think is wrong with bog standard e-mail?

0:02:180:02:24

Well, the Nomx promotional videos explain the problem.

0:02:250:02:26

When you send an e-mail, copies of the message end up

0:02:270:02:29

on several internet servers along the way.

0:02:300:02:33

Will says all of the recent big e-mail hacks have involved one

0:02:340:02:36

of these servers being compromised and what's more

0:02:370:02:38

So those vulnerabilities, we have identified six core ones

0:02:390:02:45

that encompass 100% of hacks that have occurred to date.

0:02:460:02:51

Will's solution is a $199 box that acts as your own

0:02:520:02:54

It'll talk to other e-mail services, but where it comes

0:02:550:03:02

into its own is when it connects directly to another Nomx box

0:03:030:03:06

at the other end, the pair of them replacing the cloud servers

0:03:070:03:14

that your message would usually flow through.

0:03:150:03:17

That means no copies are stored anywhere

0:03:180:03:18

The idea has caught the imagination of some in the security industry,

0:03:190:03:28

who've called it a "personal cloud on steroids" and Will himself has

0:03:290:03:31

become a bit of a star, being interviewed on US national

0:03:320:03:35

television and elsewhere in the media as a security guru.

0:03:360:03:43

So what you're pitching here is that you can make a black

0:03:440:03:46

box, that black box there, that is more secure

0:03:470:03:49

than a multibillion dollar company's servers?

0:03:500:03:50

It's been proved they're vulnerable, my question is to you is,

0:03:510:03:58

you're not a multibillion dollar company.

0:03:590:03:59

Not yet. Not yet.

0:04:000:04:00

Why should I believe that your security is any better

0:04:010:04:03

than theirs and why should I believe that there are no vulnerabilities

0:04:040:04:06

that you have accidentally left in your box?

0:04:070:04:09

What we've done is identify the categories of those

0:04:100:04:12

vulnerabilities and all of the hacks have occurred have been

0:04:130:04:15

By removing them from the equation, we have now negated them

0:04:160:04:19

So the theory sounds a good one - avoid making multiple copies

0:04:200:04:24

of your messages across potentially vulnerable servers on the internet.

0:04:250:04:28

You just have to rely on the Nomx boxes themselves not

0:04:290:04:31

You all know this man, Dan Simmons, one of Click's most experienced

0:04:320:04:38

reporters and famously, if someone says something

0:04:390:04:40

is unbreakable, you try and break it?

0:04:410:04:42

Well look, on this programme we look at new things and we are as excited

0:04:430:04:48

as anybody to see them, but sometimes just sometimes,

0:04:490:04:54

something seems a little bit too good to be true and absolute

0:04:550:04:57

security, I've never heard anyone in the cyber security industry

0:04:580:05:00

promise that, but that is exactly what this company are doing.

0:05:010:05:03

So to prove a point, you're going to try and hack this box?

0:05:040:05:07

I think I've found somebody who may be able

0:05:080:05:11

Scott Helm is one of the UK's most respected professional white hat

0:05:120:05:18

He's helped discover some big security flaws in the past,

0:05:190:05:24

including hacking home routers and electric cars.

0:05:250:05:28

Scott's had the Nomx box in his hands for just a few minutes

0:05:290:05:35

Hey, Scott. How's it going?

0:05:360:05:40

How'd you get on? Good, yes.

0:05:410:05:42

I have had a look over this device and I was quite surprised

0:05:430:05:46

So when I flipped it over, we saw what we call the Mac address

0:05:470:05:51

here, which is the device's unique identifier and these first three

0:05:520:05:54

segments identify the manufacturer, that tells you who builds

0:05:550:05:56

So I went away and I looked these up and they're actually registered

0:05:570:06:00

to the Raspberry Pi Foundation that make the Raspberry Pi computer.

0:06:010:06:04

That's the hobbyists' computer we've seen on Click.

0:06:050:06:06

The credit-sized device. But Nomx is the manufacturer?

0:06:070:06:08

So what I did, I went ahead and opened this up

0:06:090:06:11

Is there is in fact a Raspberry Pi inside this, which is white

0:06:120:06:20

There's nothing else they have done with this that we can see inside.

0:06:210:06:25

That is just a standard ?35 Raspberry Pi.

0:06:260:06:27

But what does that say to you when as a security guy

0:06:280:06:33

I guess, there are further things to be found here that

0:06:340:06:37

I've also asked Professor Alan Woodward, a well-known cyber

0:06:380:06:42

security expert, who's advised the UK Government and Europol

0:06:430:06:44

to take a look at the Nomx box to see how it works.

0:06:450:06:48

Well, already through the set up process, there is a few things

0:06:490:06:53

for a product that bills itself as being absolutely secure,

0:06:540:06:58

there's a few things that we found that give rise for concern.

0:06:590:07:01

And we certainly want to look a bit further into it.

0:07:020:07:06

Just plugging it in has sent alarm bells ringing for Alan.

0:07:070:07:09

The set up of the device is through a web application that

0:07:100:07:12

Now, that is a key port on his router he will need

0:07:130:07:21

to communicate with popular e-mail servers like Gmail

0:07:220:07:23

It's never going to receive e-mail from an external service.

0:07:240:07:27

Unless you know to go to your router and change port 25.

0:07:280:07:32

No, it doesn't, the documentation doesn't have it in there.

0:07:330:07:37

It tells you all these other ports, but not port 25.

0:07:380:07:40

So you're having a quiet life for a few years to come receiving no

0:07:410:07:44

Hotmail instantly knows that you're sending it

0:07:450:07:47

It's what's called a dynamic address, because it changes.

0:07:480:07:53

Every time you turn your router on you get a new one.

0:07:540:07:57

It spots that and says, we don't accept e-mails

0:07:580:08:00

Because they just assume nobody's going to be running an e-mail server

0:08:010:08:04

So this box can't send an e-mail to Hotmail?

0:08:050:08:08

To any Hotmail address? No.

0:08:090:08:13

And if you try and send it to something like Gmail,

0:08:140:08:17

then what happens is, because of things like the the way

0:08:180:08:22

Hotmail spots it, as you will see there,

0:08:230:08:24

Spam House, which is one of biggest spam filters,

0:08:250:08:31

Now, to be fair, Nomx doesn't open port 25,

0:08:320:08:38

But as we've seen, without 25 open, it's going to be

0:08:390:08:42

difficult to hear from the rest of the world.

0:08:430:08:44

Well, bearing in mind it has one job to do,

0:08:450:08:47

which is be an e-mail server, that's a pretty poor show.

0:08:480:08:51

And there were more surprises to come when Alan opened the box.

0:08:520:08:54

One of the simplest machines to break into is a Raspberry Pi.

0:08:550:08:58

Everything is on this one little card.

0:08:590:09:04

It is on one of these tiny little cards.

0:09:050:09:06

So all of your e-mails, all of your software,

0:09:070:09:11

everything is running on one of these tiny little cards.

0:09:120:09:14

Now, actually, if somebody did have physical access to this

0:09:150:09:17

what they could do is they could whip that card out,

0:09:180:09:20

copy it, put the card back in, put it all back together

0:09:210:09:23

and you'd be none the wiser and they have got a copy

0:09:240:09:26

of everything, including your e-mail.

0:09:270:09:27

Because one of the things about this is it's not encrypted in any way

0:09:280:09:31

This is not using any encryption? For storage, none at all.

0:09:320:09:35

And what we did was, you said the simplest thing to do,

0:09:360:09:38

because it is a complete Raspberry Pi, the simplest thing

0:09:390:09:41

to do was actually plug it into a monitor and see what came up.

0:09:420:09:45

HDMI cable. Here we go.

0:09:460:09:48

The first concern would be if it is actually running

0:09:490:09:50

Raspberry Pi as an operating system, which it is, it immediately tells

0:09:510:09:53

Postfix is the mail transport agent, that is part of the mail server.

0:09:540:09:58

It was just all totally standard stuff.

0:09:590:10:02

So how old is the software on there at the moment?

0:10:030:10:04

Well, that's another thing that we found,

0:10:050:10:06

In that it's so old we couldn't actually get hold of some

0:10:070:10:12

It's running Raspberry Pi's own operating system.

0:10:130:10:15

It's a version called Wizi, which you can no longer download

0:10:160:10:18

They have taken it off because they don't want people

0:10:190:10:22

Likewise all this Postfixed admin, there is another another piece

0:10:230:10:28

of software called Dovecot, all of which are free bits

0:10:290:10:31

of software, but some of it dates back to 2009.

0:10:320:10:34

It's inevitable that people will find bugs,

0:10:350:10:36

flaws, in any bit of software and what people do is they release

0:10:370:10:39

The problem with the way this is put together is there is no way

0:10:400:10:52

There is a whole series of things about the way this is put together

0:10:530:10:56

that make you think, absolute security is...

0:10:570:10:58

A stretch I think is the best way to put it.

0:10:590:11:01

Now, it is important to say at this point,

0:11:020:11:04

there is nothing wrong with the hardware or the software

0:11:050:11:07

that you're talking about per se, Raspberry Pi is fine,

0:11:080:11:10

the software used, Postfix, Admin, is just a piece

0:11:110:11:12

Yes, I mean the Raspberry Pi is a great bit of kit and Postfix,

0:11:130:11:17

as in the other programmes we have looked at, they do the job,

0:11:180:11:20

if you've got the latest versions of them.

0:11:210:11:22

They're still selling this box right now as a finished product?

0:11:230:11:29

It was being sold when you were testing it?

0:11:300:11:31

Absolutely, and as we're filming it is today.

0:11:320:11:34

OK, you've studied the box, what next?

0:11:350:11:35

Well, surprise, surprise, Scott thinks he can hack it.

0:11:360:11:38

So I thought, yeah, OK, fair enough, go ahead and we'll film it.

0:11:390:11:41

So to start with, we decided to get a second box in,

0:11:420:11:45

just to make sure this wasn't a prototype or there was anything

0:11:460:11:48

dodgy with it and that came along in the post.

0:11:490:11:51

Right, got a letter in the post from Nomx to say, Dear Dan,

0:11:520:11:54

as per your request I have enclosed another device for you to use

0:11:550:11:58

See what you make of it. Let's see.

0:11:590:12:04

So, we appear to have some instructions in this one.

0:12:050:12:13

Yes, the original device. They do appear, it appears the same.

0:12:140:12:18

So that, if it is the same, it is not going to be a prototype.

0:12:190:12:22

Yeah, so this is what we are looking for are the additional ones they're

0:12:230:12:26

Looking at the Mac on the bottom, it appears to be a Raspberry Pi

0:12:270:12:30

The hardware's identical, so Scott's using a programme called

0:12:310:12:34

Meld to check if the software is the same too.

0:12:350:12:36

It's showing us that they're virtually identical with a couple

0:12:370:12:39

of minor changes that don't change the operation of the box.

0:12:400:12:42

They're actually using the same user name and password on all devices,

0:12:430:12:45

which is printed just there in the manual.

0:12:460:12:50

So this is Admin and example.com and the password is "password".

0:12:510:12:52

Obviously they do? No.

0:12:530:12:56

It's not in the instructions and when I log into the device it

0:12:570:13:01

So all these high security boxes have the same admin

0:13:020:13:06

Yes. Which is password.

0:13:070:13:11

You cannot have a weak password and a default password,

0:13:120:13:21

and this is both, and leave it on the device.

0:13:220:13:24

You should force the user to set their own password so that

0:13:250:13:27

every device in the world has a unique password.

0:13:280:13:30

Because otherwise, because we'relazy, aren't we?

0:13:310:13:31

We would just leave that as password, because I'll remember it.

0:13:320:13:34

You have one of these at home, it is just a normal router.

0:13:350:13:41

This is 7F7F, a PIN on here that's unique to this device.

0:13:420:13:44

Here's another device that I might plug in.

0:13:450:13:46

You pick up one of these Nomx boxes, there is no PIN on here,

0:13:470:13:52

apart from the security through the web server,

0:13:530:13:54

And knowing that, has opened a door for Scott to deliver a package

0:13:550:14:08

If users haven't changed their password, then Scott's

0:14:090:14:11

malicious software will hand him control of their e-mails.

0:14:120:14:13

So this the picture of the cat, there is the picture of Steve Jobs

0:14:140:14:17

and those two things go in to this page.

0:14:180:14:21

All he's got to do now is to persuade unsuspecting users

0:14:220:14:24

Completely unrelated, I'm going to show you this funny

0:14:250:14:32

Top ten funniest pictures of your pet.

0:14:330:14:35

And what I'm going to do now is I'm going to go back to the Nomx device.

0:14:360:14:39

And if I scroll down, how many e-mail addresses

0:14:400:14:42

That one was placed there by the web-site with the pictures

0:14:430:14:50

of cats and dogs on that we just looked at.

0:14:510:14:54

But what this actually does is launch something called a

0:14:550:14:57

Now when I visit this web-site, while I'm reading this article,

0:14:580:15:01

I can do anything that I want on your Nomx device,

0:15:020:15:06

We then went back and looked at these older versions

0:15:070:15:10

of the software and this this is a fault that's been record

0:15:110:15:16

So they have in fact not just Nomx, but everyone's known about this.

0:15:170:15:21

Now, remember Nomx claim to have the world's most secure

0:15:220:15:35

protocol, offering absolute security and they even take issue

0:15:360:15:37

with with services like Gmail and Microsoft, saying everything

0:15:380:15:40

But we've just discovered how to hack these boxes

0:15:410:15:48

The things I found are in the OS top ten, they are and have been at one

0:15:490:15:55

time the most common vulnerabilities found in the web.

0:15:560:15:58

When you teach people how to develop web applications,

0:15:590:16:03

you say, these are the things you need to check for and it's

0:16:040:16:06

the top ten things you tell them to look for.

0:16:070:16:09

Yeah, for a company that's making claims about absolute security,

0:16:100:16:17

then they should have been aware of the the OS top ten and run that

0:16:180:16:21

I can't see how they can patch it and protect their consumers.

0:16:220:16:32

I can't see how they can look after the people that have been put

0:16:330:16:38

at risk and currently are at risk and always have been at risk.

0:16:390:16:42

I can't see how they can protect those people,

0:16:430:16:53

other than telling them to unplug the device and stop using it.

0:16:540:16:56

Now it's worth saying that users who had changed their admin password

0:16:570:17:00

wouldn't have been quite as vulnerable to this attack.

0:17:010:17:02

So Scott wanted to go further and found this key lying around

0:17:030:17:05

in the code - an identical key on both Nomx boxes.

0:17:060:17:10

These innocuous looking two lines are the master password

0:17:110:17:12

It shouldn't be in full view when analysing the code on the box,

0:17:130:17:20

Now, it looks like gobbledegook, because this is the master password

0:17:210:17:24

Scott's got some - shall we say - resourceful friends,

0:17:250:17:37

but the fact the master password is a five-letter word all in lower

0:17:380:17:41

A simple dictionary attack took less than ten minutes to decode

0:17:420:17:56

it, and now Scott has the keys to the castle.

0:17:570:17:58

It doesn't matter now if users have changed their admin passwords

0:17:590:18:01

from password, they just need to click on the kittens.

0:18:020:18:04

You don't have to visit this malicious web-site on the machine

0:18:050:18:07

that you're administering the box with.

0:18:080:18:09

It just needs to be another machine that's on the the same network

0:18:100:18:12

So your teenage daughter, for example, or anyone else,

0:18:130:18:15

granny or whatever, could get this message,

0:18:160:18:25

click on the cute furry kitten and it is kittens!

0:18:260:18:28

One of the scary things is if I know your e-mail address,

0:18:290:18:32

I can actually change the passwords for your e-mail address and then

0:18:330:18:35

immediately log into your e-mail account, so I can effectively

0:18:360:18:37

hijack your account and take full control of it.

0:18:380:18:40

I can effectively almost wire-tap the device and see everything that

0:18:410:18:45

Alerting a company quickly that they have a security problem

0:18:460:18:49

is best practice for ethical hackers.

0:18:500:18:51

So Scott sends an e-mail to warn Nomx its users

0:18:520:18:53

Right, so it's not absolutely secure then?

0:18:540:18:57

They say Scott's hack is a proof of concept.

0:18:580:19:07

Well, Scott says it is a proof of concept.

0:19:080:19:13

That's the only hole, they haven't actually

0:19:140:19:15

The idea of ethical hacking, white hacking, is to tell

0:19:160:19:18

the company first that they can do something about it.

0:19:190:19:21

Scott's given them 30 days to sort this out,

0:19:220:19:25

before he says he will publish the details of the hack.

0:19:260:19:28

But Nomx has no way of updating its boxes,

0:19:290:19:31

so how can it possibly patch this problem?

0:19:320:19:33

30 days are up and Scott is ready to publish his findings.

0:19:340:19:41

Nomx have told him that they have notified 100% of their users

0:19:420:19:44

and updated or upgraded any devices that could be affected by the hack.

0:19:450:19:48

I have two of the devices in my possession.

0:19:490:19:50

Neither of which have been updated and I also can't find a way

0:19:510:19:54

And in fairness, we have a box on Click, and we have not had any

0:19:550:20:03

notification of any problem with the box either.

0:20:040:20:05

Nomx also told Scott they have requested users not browse web-sites

0:20:060:20:12

So you as a user are responsible for behaving in a particular way

0:20:130:20:21

That's not really fair on the end user.

0:20:220:20:25

To show good will, Scott held off publishing the attack

0:20:260:20:27

We got in contact with Nomx to say, look, we are filming with Scott

0:20:280:20:37

and we need some answers if you wouldn't mind.

0:20:380:20:40

We gave them an opportunity to be interviewed.

0:20:410:20:43

But they did send us some responses to some of our questions.

0:20:440:20:51

One of which yesterday, the CO told me, Nomx security claims

0:20:520:20:54

don't apply in you're home network has been breached.

0:20:550:20:57

Now that's the kittens thing on the browser,

0:20:580:21:00

if somebody clicks on that you're infected and basically

0:21:010:21:02

Will Donaldson is saying that is nothing to do with us,

0:21:030:21:05

Well, that's a bit like saying if everything else in your home

0:21:060:21:14

is insecure, then we're insecure too.

0:21:150:21:16

So the box doesn't add anything to the weakest link

0:21:170:21:24

in your home, and that is I would say at odds

0:21:250:21:27

with what they're saying on their web-site.

0:21:280:21:29

Now, Will told me that no boxes have been compromised again.

0:21:300:21:32

He said, well we've asked some of our users.

0:21:330:21:36

And we have learned today that Will is removing the devices

0:21:370:21:40

from his web-site and he won't be selling them any more,

0:21:410:21:43

he won't be shipping them, in their current form,

0:21:440:21:46

He is going to wait for a hardware upgrade and then start again.

0:21:470:21:51

Although we have been on his web-site today and he looks

0:21:520:21:55

Now, he also says that all the major e-mail providers have been hacked

0:21:560:22:05

in the past and actually still Nomx hasn't.

0:22:060:22:07

Alan, we don't know whether there are tens,

0:22:080:22:15

hundreds or thousands of these boxes out there.

0:22:160:22:17

But what does this tell us about the wider security industry?

0:22:180:22:24

It raises that wider concern that anybody can make claims,

0:22:250:22:27

they can put a product out there and make claims,

0:22:280:22:30

even if they're really bold claims like this,

0:22:310:22:32

absolute security, that nobody's checking it.

0:22:330:22:36

There no is gold standard against which you can

0:22:370:22:39

To be fair, do you think this idea of end-to-end

0:22:400:22:50

Yes, you could make it work, but as is so often the case

0:22:510:22:54

with security, the thing that really lets this down is the way

0:22:550:22:57

So Scott, you are about to release details of your hack?

0:22:580:23:01

And this is not anything special that Scott's doing for us.

0:23:020:23:12

This is part of his ethical hacking procedure.

0:23:130:23:14

Yeah, the company's told us that they have notified

0:23:150:23:19

There is an update or replacement device available to fix this,

0:23:200:23:28

so no users are at risk any more.

0:23:290:23:30

I was kind of expecting a noise or something.

0:23:310:23:35

What would you say to anyone who owns one of these Nomx boxes?

0:23:360:23:44

If you have one, I would stop using it and repurpose the device.

0:23:450:23:47

I would not use it or recommend using it.

0:23:480:24:03

Scott, Alan, thank you for four time.

0:24:040:24:05

My friend I'm sorry, you're out of here!

0:24:060:24:07

Normal service is resumed next week and if you want more details,

0:24:080:24:12

including a link to Scott's blog, then check us out on Twitter at BBC

0:24:130:24:16

If you can't stay absolutely secure, then try and stay safe.

0:24:170:24:19

Thanks for watching and we will see you soon.

0:24:200:24:26

Download Subtitles

SRT

ASS