Click investigates a company claiming to offer 'absolute security' and discovers all is not what it seems.
Browse content similar to 29/04/2017. Check below for episodes and series from the same categories and more!
Finally there is a box which is immune
Over the last few years, billions of e-mail accounts
Last year, Yahoo announced that over 1.5 billion e-mail accounts
were compromised between 2013 and 2014, the largest
Then it emerged that Russian hackers had gained access to 60,000 e-mails
from Hillary Clinton's presidential campaign.
Some believe the resulting leaks helped swing the election for Trump.
is something most of us already knew,
we send, each of us, all the time, hugely personal information
Information that we'd like to keep private,
but others are all too often able to see.
So how about something that guarantees to protect
Sounds like something you want to have, doesn't it?
Well, this is Nomx, a box which promises
It was at CES that we came across this device as it was introduced
I met the boss, Will Donaldson, who has impressive security
He's worked in computer security and worked on web applications
for the Pentagon, the Marine Corps and he was Chief Technology Officer
for the F35 joint strike fighter communications facility.
So does he think is wrong with bog standard e-mail?
Well, the Nomx promotional videos explain the problem.
When you send an e-mail, copies of the message end up
on several internet servers along the way.
Will says all of the recent big e-mail hacks have involved one
of these servers being compromised and what's more
So those vulnerabilities, we have identified six core ones
that encompass 100% of hacks that have occurred to date.
Will's solution is a $199 box that acts as your own
It'll talk to other e-mail services, but where it comes
into its own is when it connects directly to another Nomx box
at the other end, the pair of them replacing the cloud servers
that your message would usually flow through.
That means no copies are stored anywhere
The idea has caught the imagination of some in the security industry,
who've called it a "personal cloud on steroids" and Will himself has
become a bit of a star, being interviewed on US national
television and elsewhere in the media as a security guru.
So what you're pitching here is that you can make a black
box, that black box there, that is more secure
than a multibillion dollar company's servers?
It's been proved they're vulnerable, my question is to you is,
you're not a multibillion dollar company.
Not yet. Not yet.
Why should I believe that your security is any better
than theirs and why should I believe that there are no vulnerabilities
that you have accidentally left in your box?
What we've done is identify the categories of those
vulnerabilities and all of the hacks have occurred have been
By removing them from the equation, we have now negated them
So the theory sounds a good one - avoid making multiple copies
of your messages across potentially vulnerable servers on the internet.
You just have to rely on the Nomx boxes themselves not
You all know this man, Dan Simmons, one of Click's most experienced
reporters and famously, if someone says something
is unbreakable, you try and break it?
Well look, on this programme we look at new things and we are as excited
as anybody to see them, but sometimes just sometimes,
something seems a little bit too good to be true and absolute
security, I've never heard anyone in the cyber security industry
promise that, but that is exactly what this company are doing.
So to prove a point, you're going to try and hack this box?
I think I've found somebody who may be able
Scott Helm is one of the UK's most respected professional white hat
He's helped discover some big security flaws in the past,
including hacking home routers and electric cars.
Scott's had the Nomx box in his hands for just a few minutes
Hey, Scott. How's it going?
How'd you get on? Good, yes.
I have had a look over this device and I was quite surprised
So when I flipped it over, we saw what we call the Mac address
here, which is the device's unique identifier and these first three
segments identify the manufacturer, that tells you who builds
So I went away and I looked these up and they're actually registered
to the Raspberry Pi Foundation that make the Raspberry Pi computer.
That's the hobbyists' computer we've seen on Click.
The credit-sized device. But Nomx is the manufacturer?
So what I did, I went ahead and opened this up
Is there is in fact a Raspberry Pi inside this, which is white
There's nothing else they have done with this that we can see inside.
That is just a standard ?35 Raspberry Pi.
But what does that say to you when as a security guy
I guess, there are further things to be found here that
I've also asked Professor Alan Woodward, a well-known cyber
security expert, who's advised the UK Government and Europol
to take a look at the Nomx box to see how it works.
Well, already through the set up process, there is a few things
for a product that bills itself as being absolutely secure,
there's a few things that we found that give rise for concern.
And we certainly want to look a bit further into it.
Just plugging it in has sent alarm bells ringing for Alan.
The set up of the device is through a web application that
Now, that is a key port on his router he will need
to communicate with popular e-mail servers like Gmail
It's never going to receive e-mail from an external service.
Unless you know to go to your router and change port 25.
No, it doesn't, the documentation doesn't have it in there.
It tells you all these other ports, but not port 25.
So you're having a quiet life for a few years to come receiving no
Hotmail instantly knows that you're sending it
It's what's called a dynamic address, because it changes.
Every time you turn your router on you get a new one.
It spots that and says, we don't accept e-mails
Because they just assume nobody's going to be running an e-mail server
So this box can't send an e-mail to Hotmail?
To any Hotmail address? No.
And if you try and send it to something like Gmail,
then what happens is, because of things like the the way
Hotmail spots it, as you will see there,
Spam House, which is one of biggest spam filters,
Now, to be fair, Nomx doesn't open port 25,
But as we've seen, without 25 open, it's going to be
difficult to hear from the rest of the world.
Well, bearing in mind it has one job to do,
which is be an e-mail server, that's a pretty poor show.
And there were more surprises to come when Alan opened the box.
One of the simplest machines to break into is a Raspberry Pi.
Everything is on this one little card.
It is on one of these tiny little cards.
So all of your e-mails, all of your software,
everything is running on one of these tiny little cards.
Now, actually, if somebody did have physical access to this
what they could do is they could whip that card out,
copy it, put the card back in, put it all back together
and you'd be none the wiser and they have got a copy
of everything, including your e-mail.
Because one of the things about this is it's not encrypted in any way
This is not using any encryption? For storage, none at all.
And what we did was, you said the simplest thing to do,
because it is a complete Raspberry Pi, the simplest thing
to do was actually plug it into a monitor and see what came up.
HDMI cable. Here we go.
The first concern would be if it is actually running
Raspberry Pi as an operating system, which it is, it immediately tells
Postfix is the mail transport agent, that is part of the mail server.
It was just all totally standard stuff.
So how old is the software on there at the moment?
Well, that's another thing that we found,
In that it's so old we couldn't actually get hold of some
It's running Raspberry Pi's own operating system.
It's a version called Wizi, which you can no longer download
They have taken it off because they don't want people
Likewise all this Postfixed admin, there is another another piece
of software called Dovecot, all of which are free bits
of software, but some of it dates back to 2009.
It's inevitable that people will find bugs,
flaws, in any bit of software and what people do is they release
The problem with the way this is put together is there is no way
There is a whole series of things about the way this is put together
that make you think, absolute security is...
A stretch I think is the best way to put it.
Now, it is important to say at this point,
there is nothing wrong with the hardware or the software
that you're talking about per se, Raspberry Pi is fine,
the software used, Postfix, Admin, is just a piece
Yes, I mean the Raspberry Pi is a great bit of kit and Postfix,
as in the other programmes we have looked at, they do the job,
if you've got the latest versions of them.
They're still selling this box right now as a finished product?
It was being sold when you were testing it?
Absolutely, and as we're filming it is today.
OK, you've studied the box, what next?
Well, surprise, surprise, Scott thinks he can hack it.
So I thought, yeah, OK, fair enough, go ahead and we'll film it.
So to start with, we decided to get a second box in,
just to make sure this wasn't a prototype or there was anything
dodgy with it and that came along in the post.
Right, got a letter in the post from Nomx to say, Dear Dan,
as per your request I have enclosed another device for you to use
See what you make of it. Let's see.
So, we appear to have some instructions in this one.
Yes, the original device. They do appear, it appears the same.
So that, if it is the same, it is not going to be a prototype.
Yeah, so this is what we are looking for are the additional ones they're
Looking at the Mac on the bottom, it appears to be a Raspberry Pi
The hardware's identical, so Scott's using a programme called
Meld to check if the software is the same too.
It's showing us that they're virtually identical with a couple
of minor changes that don't change the operation of the box.
They're actually using the same user name and password on all devices,
which is printed just there in the manual.
So this is Admin and example.com and the password is "password".
Obviously they do? No.
It's not in the instructions and when I log into the device it
So all these high security boxes have the same admin
Yes. Which is password.
You cannot have a weak password and a default password,
and this is both, and leave it on the device.
You should force the user to set their own password so that
every device in the world has a unique password.
Because otherwise, because we'relazy, aren't we?
We would just leave that as password, because I'll remember it.
You have one of these at home, it is just a normal router.
This is 7F7F, a PIN on here that's unique to this device.
Here's another device that I might plug in.
You pick up one of these Nomx boxes, there is no PIN on here,
apart from the security through the web server,
And knowing that, has opened a door for Scott to deliver a package
If users haven't changed their password, then Scott's
malicious software will hand him control of their e-mails.
So this the picture of the cat, there is the picture of Steve Jobs
and those two things go in to this page.
All he's got to do now is to persuade unsuspecting users
Completely unrelated, I'm going to show you this funny
Top ten funniest pictures of your pet.
And what I'm going to do now is I'm going to go back to the Nomx device.
And if I scroll down, how many e-mail addresses
That one was placed there by the web-site with the pictures
of cats and dogs on that we just looked at.
But what this actually does is launch something called a
Now when I visit this web-site, while I'm reading this article,
I can do anything that I want on your Nomx device,
We then went back and looked at these older versions
of the software and this this is a fault that's been record
So they have in fact not just Nomx, but everyone's known about this.
Now, remember Nomx claim to have the world's most secure
protocol, offering absolute security and they even take issue
with with services like Gmail and Microsoft, saying everything
But we've just discovered how to hack these boxes
The things I found are in the OS top ten, they are and have been at one
time the most common vulnerabilities found in the web.
When you teach people how to develop web applications,
you say, these are the things you need to check for and it's
the top ten things you tell them to look for.
Yeah, for a company that's making claims about absolute security,
then they should have been aware of the the OS top ten and run that
I can't see how they can patch it and protect their consumers.
I can't see how they can look after the people that have been put
at risk and currently are at risk and always have been at risk.
I can't see how they can protect those people,
other than telling them to unplug the device and stop using it.
Now it's worth saying that users who had changed their admin password
wouldn't have been quite as vulnerable to this attack.
So Scott wanted to go further and found this key lying around
in the code - an identical key on both Nomx boxes.
These innocuous looking two lines are the master password
It shouldn't be in full view when analysing the code on the box,
Now, it looks like gobbledegook, because this is the master password
Scott's got some - shall we say - resourceful friends,
but the fact the master password is a five-letter word all in lower
A simple dictionary attack took less than ten minutes to decode
it, and now Scott has the keys to the castle.
It doesn't matter now if users have changed their admin passwords
from password, they just need to click on the kittens.
You don't have to visit this malicious web-site on the machine
that you're administering the box with.
It just needs to be another machine that's on the the same network
So your teenage daughter, for example, or anyone else,
granny or whatever, could get this message,
click on the cute furry kitten and it is kittens!
One of the scary things is if I know your e-mail address,
I can actually change the passwords for your e-mail address and then
immediately log into your e-mail account, so I can effectively
hijack your account and take full control of it.
I can effectively almost wire-tap the device and see everything that
Alerting a company quickly that they have a security problem
is best practice for ethical hackers.
So Scott sends an e-mail to warn Nomx its users
Right, so it's not absolutely secure then?
They say Scott's hack is a proof of concept.
Well, Scott says it is a proof of concept.
That's the only hole, they haven't actually
The idea of ethical hacking, white hacking, is to tell
the company first that they can do something about it.
Scott's given them 30 days to sort this out,
before he says he will publish the details of the hack.
But Nomx has no way of updating its boxes,
so how can it possibly patch this problem?
30 days are up and Scott is ready to publish his findings.
Nomx have told him that they have notified 100% of their users
and updated or upgraded any devices that could be affected by the hack.
I have two of the devices in my possession.
Neither of which have been updated and I also can't find a way
And in fairness, we have a box on Click, and we have not had any
notification of any problem with the box either.
Nomx also told Scott they have requested users not browse web-sites
So you as a user are responsible for behaving in a particular way
That's not really fair on the end user.
To show good will, Scott held off publishing the attack
We got in contact with Nomx to say, look, we are filming with Scott
and we need some answers if you wouldn't mind.
We gave them an opportunity to be interviewed.
But they did send us some responses to some of our questions.
One of which yesterday, the CO told me, Nomx security claims
don't apply in you're home network has been breached.
Now that's the kittens thing on the browser,
if somebody clicks on that you're infected and basically
Will Donaldson is saying that is nothing to do with us,
Well, that's a bit like saying if everything else in your home
is insecure, then we're insecure too.
So the box doesn't add anything to the weakest link
in your home, and that is I would say at odds
with what they're saying on their web-site.
Now, Will told me that no boxes have been compromised again.
He said, well we've asked some of our users.
And we have learned today that Will is removing the devices
from his web-site and he won't be selling them any more,
he won't be shipping them, in their current form,
He is going to wait for a hardware upgrade and then start again.
Although we have been on his web-site today and he looks
Now, he also says that all the major e-mail providers have been hacked
in the past and actually still Nomx hasn't.
Alan, we don't know whether there are tens,
hundreds or thousands of these boxes out there.
But what does this tell us about the wider security industry?
It raises that wider concern that anybody can make claims,
they can put a product out there and make claims,
even if they're really bold claims like this,
absolute security, that nobody's checking it.
There no is gold standard against which you can
To be fair, do you think this idea of end-to-end
Yes, you could make it work, but as is so often the case
with security, the thing that really lets this down is the way
So Scott, you are about to release details of your hack?
And this is not anything special that Scott's doing for us.
This is part of his ethical hacking procedure.
Yeah, the company's told us that they have notified
There is an update or replacement device available to fix this,
so no users are at risk any more.
I was kind of expecting a noise or something.
What would you say to anyone who owns one of these Nomx boxes?
If you have one, I would stop using it and repurpose the device.
I would not use it or recommend using it.
Scott, Alan, thank you for four time.
My friend I'm sorry, you're out of here!
Normal service is resumed next week and if you want more details,
including a link to Scott's blog, then check us out on Twitter at BBC
If you can't stay absolutely secure, then try and stay safe.
Thanks for watching and we will see you soon.