
An analysis of the Nomx secure communications device - stevekemp
https://scotthelme.co.uk/nomx-the-worlds-most-secure-communications-protocol/
======
krylon
Wow. The title kind of gave away that this was going to be a fun read, but I
did not expect it to be _that_ bad.

Even if the vendor did not make those bold claims and simply sold it as a
hassle-free email appliance for home users and small businesses, it would be
borderline fraudulent. _With_ the bold claims attached it almost looks like
performance art to ridicule all the snake oil-peddlers out there.

~~~
micaksica
It's unlikely to be performance art, and if this isn't fraud it's gross
negligence. Does anyone know of any British legislation that refers to the
sale of these types of products?

~~~
BuildTheRobots
Advertising Standard Authority is likely who you want:
[https://www.asa.org.uk/](https://www.asa.org.uk/)

------
kens
I read through the patent application cited in the article [1] so I can
explain what the device is supposed to be doing.

The "secret sauce" is it can send email between two Nomx devices without using
DNS or other third party servers, avoiding DNS attacks. The handshake between
two devices sets up DNS records on each device so they can locally resolve
each other. There's a mechanism so if a device changes IP address, it informs
the other paired devices, with some sort of authentication.

So, it's not just a standard email server running on a RasPi, but does have
something new. (To be clear, I'm not defending this device, just explaining
what I learned from the patent.)

It's suspicious that the article's author didn't see any network traffic
between devices when the handshake was set up, which makes me wonder how much
of this is implemented. A couple followup experiments the author could do: a)
verify that the device doesn't do an external DNS after the handshake. b) see
if changing one device's IP address causes the other to get updated.

[1]
[https://patentscope.wipo.int/search/en/detail.jsf?docId=WO20...](https://patentscope.wipo.int/search/en/detail.jsf?docId=WO2016160957)

~~~
justinsaccount
> There's a mechanism so if a device changes IP address, it informs the other
> paired devices, with some sort of authentication.

Except there appears to be no evidence that there is such a mechanism.

and as i336_ here stressed:

"The device is designed to send TLS-encrypted mail from nomx device to nomx
device on port 26, BUT IT IS ENCRYPTING USING THE DEFAULT Postfix "snakeoil"
TLS CERTIFICATE."

------
CM30
Calling your product 'the most secure' and 'ensuring absolute privacy' should
already set off alarm bells for anyone interested in either security or
privacy. It's the kind of marketing that no one in their right mind would use
if they knew much about either.

Not surprising, this device does everything wrong and provides neither of
those things.

------
socket0
I find these kinds of stories infuriating (and just a bit frustrating).
Charlatans repackage, rebrand, and repurpose FOSS, then sell them at an
unrealistic markup to unsuspecting dupes. Anything from PABX or VoIP systems
based on Asterisk, through overly complex CMS's based on Wordpress. I'm not
sure what riles me more: consumers being ripped off by these products, or the
fact that my strengths lie in tech rather than sales.

~~~
cronjobber
The FSF has always made clear that they don't have any problem with people
selling Free Software; it's about freedom, not low low price.

(What infuriates me about this story is that it reminds me of how far
companies like Google have destroyed Mail as a protocol usable without their
intermediation. Use Googlemail or get your mails spam-binned.)

~~~
woah
It's a broken federated system with a huge DOS vulnerability (spam). That's
not Google's fault.

~~~
cronjobber
Is the "solution" of pushing everybody onto a handful of centralized platforms
entirely dictated by the nature of the problem?

~~~
Kalium
Of course not! A decentralized, federated solution where everyone running a
service takes responsibility for their service and ensures high standards are
adhered to is preferable, desirable, and possible.

So preferable, in fact, that professionals have tried! Extensively,
exhaustively, and at great length. New standards have been devised. New
protocols designed. Newer, more clever ideas pioneered and deployed.

Several decades of trying that approach with results being somewhat below what
could be hoped for led users and administrators alike to look for
alternatives.

The nature of the problem at hand is that in a highly decentralized system
where the cost of use is borne by the receiver and breaking backwards
compatibility isn't acceptable, it is extremely difficult to stem abuse.
Measures that could stop or diminish abuse will not be taken by abusers, and
the need to preserve backwards compatibility prevents cutting off both them
and legitimate users on less modern services.

It's a shit scenario. _It didn 't have to be this way!_ Yet, there don't seem
to be other options on offer that deliver equivalent or better benefits for
equivalent or better costs in time and treasure.

------
griffinmb
Their response (on their homepage) is awful:
[http://nomx.com/](http://nomx.com/)

"nomx Passes Security Tests After Blogger Claims to Have Penetrated nomx

\- UK blogger makes false claims he can access nomx remotely

\- UK blogger fails to access nomx remotely"

~~~
tankenmate
Three sentences into "Security testing" section and you have to wonder if they
have ever heard of an evil maid attack. Along with outdated kernels that have
remote execution bugs, CSRF / XSS bugs, outdated versions of PHP, etc. You
really have to wonder if they have any real world security knowledge or
skills.

~~~
lloeki
> You really have to wonder if they have any real world security knowledge or
> skills.

I wouldn't even be the least surprised if they turned out to be genuinely
honest and convinced about their own skill.

I've talked to a guy that could tell you right in the eye that a HTTP
redirection never hits the UA and goes straight to the second server so it's
safe to pass plain credentials in there.

Another one goes out of its way to (please follow through) derive an
AES256-CBC key from a user's password using PBKDF2, said key that ends up
being sent over HTTP(not S) _right along with_ the encrypted payload that
turns out to include said password, but we're safe because that goldberguesque
non-encryption is base64-encoded as a second layer. In a flash of foresight,
as additional defense in depth, within that encryption the password is
actually hashed by the client using plain SHA256, sent on the wire and
compared as is with the db record. Please note the irony of using PBKDF2
nearby for the noop key. Well, when viewed as a whole the thing is ironic on
so many levels and whatever the angle you look at it that at some point you
have to convince yourself this is just an elaborate joke to keep any manner
and composure.

Some people just don't _get_ security. Or logic. Or computers. Yet they're
being trusted into writing software and building systems, sometimes critical
ones, sometimes _medical_ ones. That, defies the mind.

------
simias
I don't understand the point of this, even if it worked correctly.

If I understand correctly what it does is create some kind of secure tunnel
between two nomx devices if you tell it to. But doesn't starttls do that
already if you configure your mail server that way? And it already just works
with any compliant email server?

So unless I'm missing something there's absolutely no doubt in my mind that
this is a scam. Kudos to the author for bothering to find flaws in the admin
interface but honestly at this point I'd just have reflashed the raspberry pi
and used it as a media center.

Even the first picture with the case open is already a huge red flag, not
because of the raspberry pi but because of the botched glue gun job.

~~~
doubleplusgood
The software side looks like someone just executed an ancient Postfix +
Squirrelmail + Dovecot tutorial[0] and cobbled together a horrible UI for it.

[0]: [https://www.exratione.com/2012/05/a-mailserver-on-
ubuntu-120...](https://www.exratione.com/2012/05/a-mailserver-on-
ubuntu-1204-postfix-dovecot-mysql/)

~~~
uxp
Is it squirrelmail, or just IMAP(s)/POP3(s)?

I guess, at least it isn't running it in conjunction with sendmail
[https://threatpost.com/no-fix-for-squirrelmail-remote-
code-e...](https://threatpost.com/no-fix-for-squirrelmail-remote-code-
execution-vulnerability/125151/)

------
VMG
> The only good thing I can say about this product is that it does not create
> an MX record for your domain, upholding the "no MX" in the name.

Haha

------
timthelion
The real story here, is that if you try to set up your mail server so that you
can send mail to a microsoft email server such as live or hotmail, you
eventually end up here where they ask for a bribe:
[https://returnpath.com/solutions/email-deliverability-
optimi...](https://returnpath.com/solutions/email-deliverability-
optimization/ip-certification/#)

Nomx may be terrible, but it's not their fault you can't send mail to
hotmail.com

Edit: here is the price list for sending mail to hotmail.com
[https://returnpath.com/wp-content/uploads/2015/06/Return-
Pat...](https://returnpath.com/wp-content/uploads/2015/06/Return-Path-
Certification-Pricing-US.pdf)

~~~
Faaak
That's strange: I have my own hosted mail server (on a static home IP) and I
haven't had a problem with hotmail (but I've got DKIM, reverse DNS, and SPF
configured)

~~~
baobabKoodaa
Can you prove this? I've also set up DKIM, reverse DNS, and SPF, but Microsoft
places mail sent from my AWS box straight into the spam folder. Every other
email provider that I've tried has been able to receive my email correctly.
Microsoft is the only one asking for a bribe to do so.

I've even tried to contact them by phone and their support forum. On the phone
they told me that this is a "feature": all mail goes to spam folder until the
client whitelists the sending address. This is false, and on their support
forums I was told that my static IP from Amazon "is not eligible for
appeasement" or something like that.

When you look at what Microsoft has done with Skype and Windows, it's fairly
obvious that they don't care about security. Even so, I find it especially
egregious that they are offering a "pay to spam" service while at the same
time knowingly blocking legitimate email.

~~~
dylz
Are you sending from AWS SES?

You should not be able to originate any mail from EC2.

~~~
baobabKoodaa
I'm sending from EC2. Why do you say that?

~~~
jacobwg
A LOT of spam originates from EC2, to the point that many major email
providers have blocked all of EC2.

~~~
baobabKoodaa
This is not true. I can mail everywhere except Microsoft.

------
nameless912
From the nomx respone:

> Contrary to the blogger's claim that this was an easy, simply hack, in fact,
> the blogger couldn't make the code work and requested other participants to
> support his attempts and publicly stated so on his blog. The "payload" he
> developed was from a third party named Paul.

That's embarassingly bad logic. The fact that this particular guy wasn't an
expert at XSS doesn't make the hack hard, and the fact that it exists _at all_
is the issue. What a bunch of fuckin' jokers.

------
Vesther
If i understand this correctly, the device is (apart from being the least
secure thing ever) basically useless at it's function, since it doesn't
support SPF/DKIM/DMARC and you can't get it to use HTTPS and as such will
bounce off every single correctly configured email server in the world?

If i remember correctly, when i tried to setup my own email server with my
domain on a VPS box, i had to go through the whole nine yards of getting a
letsencrypt cert and setting up lots of voodoo stuff before i could send mails
to anyone but myself.

Also, how are you supposed to use this at home at all, if most residential
ISPs (at least here in germany) block any Port 25 traffic?

~~~
i336_
Yes to everything you said.

D:

Australian ISPs kill anything outbound on port 25 also.

------
NoGravitas
I really can't tell whether this is an outright scam, or an earnest attempt by
someone completely unqualified (and completely unaware that they're
unqualified, per Dunning and Kruger).

~~~
Giroflex
At the very least there was bad faith from trying to stall and making false
claims about updates and disclosure to costumers in the e-mail chain between
Scott and them.

I'd also doubt they "had two of the largest security firms provide remote and
"in hand" vulnerability assessments on nomx", or else they just completely
ignored their advice.

------
henrikschroder
> "We've advised them that they should not use the nomx admin while surfing
> any other sites which contain malware or were otherwise compromised"

That's so hilariously misguided I don't even know where to start!

~~~
micaksica
They ripped that straight out of the OWASP CSRF cheat sheet, under "Personal
Safety CSRF Tips for Users". Yep, clearly nomx's issues are all just user
education issues.

[1] [https://www.owasp.org/index.php/Cross-
Site_Request_Forgery_%...](https://www.owasp.org/index.php/Cross-
Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Personal_Safety_CSRF_Tips_for_Users)

------
davotoula
"30 March 2017 22:28: Will claims to have a sent a response and has forwarded
the same email to me again which doesn't arrive."

"31 March 2017 16:52: Asked for confirmation of receipt of earlier email given
apparent email issues.

4 April 2017 11:13: Asked for confirmation of receipt of earlier email given
apparent email issues. "

Wonder why...

------
dbalan
GCache:
[https://webcache.googleusercontent.com/search?q=cache:3TT35M...](https://webcache.googleusercontent.com/search?q=cache:3TT35Mz0PgMJ:https://scotthelme.co.uk/nomx-
the-worlds-most-secure-communications-
protocol/%2Bhttps://scotthelme.co.uk/nomx-the-worlds-most-secure-
communications-protocol/&client=firefox-b-ab&hl=en&ct=clnk)

------
i336_
While I have a summary post elsewhere in here, at the risk of being a bit
spammy I'm double-commenting the following bit:

The device is designed to send TLS-encrypted mail from nomx device to nomx
device on port 26, BUT IT IS ENCRYPTING USING THE DEFAULT Postfix "snakeoil"
TLS CERTIFICATE.

------
nrki
Can't wait for their $10k bounty program to go public.

That will be an easy win for whoever submits first.

~~~
doubleplusgood
The article mentions that the bounty private key(s) would be embedded within
the device, so I don't think a submission would be necessary.

~~~
ATsch
Now that's just double stupid. Just dump the flash and done.

------
samsk
Many years ago, I've been working on similar (but better ?) SMTP security
device [1], that was doing on-the-fly email encryption by catching outgoing
SMTP connections and encrypting their content. One only had to setup some keys
and stick in in the outgoing network and it worked - like PGP, but without the
need to setup it on every device. But, they are already out of business now...

[1] [https://www.scmagazineuk.com/securecoms-launches-sme-
encrypt...](https://www.scmagazineuk.com/securecoms-launches-sme-encryption-
products/article/562199/)

------
jaclaz
This (statistics on the nomx rebuttal pages) must be coming from some kind of
alternate universe:

 _> For Media - Some statistics:

Number of nomx accounts that have been compromised since inception: 0

Number of Gmail accounts that have been compromised in the United States (from
2014): About 5 million to 24 million depending on source_

How about the TOTAL number of (respectively) nomx accounts and gmail accounts
(from 2014)?

I mean, 0/(something) is undoubtedly a smaller number than 5-24*10^6/(a very
HUGE number), but maybe the (something) is so little that the target in itself
is irrelevant...

------
doubleplusgood
This is great! I've always wanted a step-by-step guide on how _not_ to do
things.

------
skarap
Interesting findings. Though I didn't get why the author concentrated so much
on the security issues of the UI while the real issue is that the whole thing
is snake oil. I mean - what if the UI was great, had https and there were no
CSRF vulnerabilities? Would this be considered a secure product?

------
i336_
I STRONGLY recommend reading just the first bullet point below.

I'm wondering whether this is someone running a scam or whether they don't
fully understand technology and some evil tech has taken _them_ for a ride.
It's that bad.

Some paraphrased/elided highlights from the article:

\--

Practicality as a secure mail device:

\- The TL;DR of the "unbreakable security" is that the device sends TLS-
encrypted email on another nomx device listening on port 26... _USING THE
DEFAULT "snakeoil" Postfix TLS CERTIFICATES._

\- _The device sends from port 25._ Or rather, it tries to - it worked for the
post author, but I can personally say this would not work for me; my ISP
blocks port everything outgoing on port 25.

\- _The device tries to relay mail from a residential IP._ Predictably, all
commercial email systems shut this down the moment they see it. Hotmail has
the decency to actually kick the email back; other providers seem to just
silently drop it.

\- _The device will immediately put your IP on DNS blacklists because you are
sending mail that looks 100% like spam._ These blacklists are used by a
variety of online services so this is likely to catch up with you in a big way
eventually (one thing I just wondered is whether Google checks your IP this
way when deciding how complicated to make the captchas it sends you).

\- When you set up a link to another nomx device (it calls this a
"handshake"), you have to do it by IP address. There is no mechanism to
autoupdate the remote IP (I do acknowledge such a system would be mildly
nontrivial to put together, but I think this is already at the "doing it
wrong" stage and this type of solution is not what is needed here).

\--

Security considerations:

\- The default credentials are "admin@example.com" \+ "password" and there is
no requirement to change this upon login.

\- The device is so full of vulnerabilities it's possible to pwn it by simply
visiting an arbitrary malicious Web page (from any web site on the Internet)
that scans your network to find the device - once that's done the malicious
page can fire off a series of form submissions (probably also doable via XHR)
to gain a login cookie, _create a new admin user that will not be visible
because the device is only capable of listing one admin_ , and then...

\- With the device pwned, it's possible to take it over completely, create
arbitrary incoming email addresses, and attempt to send mail from the device,
from your IP. Your computer doesn't even need to be on for this to work,
obviously. I say _attempt to send mail_ because most of it will be blocked,
but you could easily take someone down by sending highly offensive mail to a
provider that let the email through - bam, your IP is on file as having sent
the email.

\- Thunderbird required repeated manual verification of the device's TLS
certificate (something the device purports not to require!).

\--

Software versions:

\- Raspbian GNU/Linux 7 (wheezy) - last updated 7th May 2015

\- nginx version: nginx/1.2.1 - released 5th June 2012

\- PHP 5.4.45-0+deb7u5 - released 3rd September 2015

\- OpenSSL 1.0.1t - released 3rd May 2016

\- Dovecot 2.1.7 - released 29th May 2012

\- Postfix 2.9.6 - released 4th February 2013

\- MySQL Ver 14.14 Distrib 5.5.52 - released 6th September 2016

The author received no response to his requests for updated versions of the
software.

The device also has no autoupdate mechanism, and there is also no mention of
such a mechanism being in development.

\--

Other thoughts:

\- The device uses GoDaddy for dynamic DNS. I'm curious why this is so bad; is
it because GoDaddy DNS doesn't update rapidly?

\- This kind of reminds me of [http://thedailywtf.com/articles/The-Expert-
System](http://thedailywtf.com/articles/The-Expert-System)

------
kriptonis
Website appears to be down as of now (10PM GMT+1)

------
ckastner
TL;DR:

It's $199 to $399 for a plastic case literally just containing a Raspberry Pi
3 Model B, running an outdated Raspian, and the software stack is extremely
poorly developed. eg: their "secure handshake between devices" is basically
two devices serving SMTP on port 26 instead of port 25.

~~~
JasuM
Its port 26 enforces TLS though.

~~~
tankenmate
But doesn't bother to check if the certs (local and remote server) have been
signed by a trusted authority. Nor does it attempt to pin these certs.

It provides encryption, but no authentication nor authorisation. In short an
ever so slight improvement over normal SMTP.

~~~
i336_
It's actively ten thousand times worse than that. From the article:

> _The device uses self-signed certs throughout and they aren 't even device
> specific. It's using the default ssl-cert-snakeoil.pem and ssl-cert-
> snakeoil.key in the Postfix config._

