BBC exposes flaws in 'world's most secure' email service

A BBC Click investigation has thrown doubt on claims that the small, personal email server Nomx can provide "absolute security".

Created by entrepreneur Will Donaldson, Nomx says it uses the "world's most secure communications protocol" to protect email messages.

But security analysts cracked the device's simple passwords and hacked its hardware and software.

Defending itself, Nomx disputed the way the tests were done on its gadget.

The Nomx personal email server costs from $199 - $399 (£155 - £310) and its publicity material claims it is designed to handle email communications for consumers.

It says that using a dedicated personal server, users can help to stop messages being copied and hacked as they travel to their destination across the net.

BBC Click asked security researcher Scott Helme and computer security expert Prof Alan Woodward, from the University of Surrey, to scrutinise Nomx. They were asked to assess whether it did let people send messages in a way that was secure against hacking and interception.

The investigation started by taking the device apart to find that it was built around a £30 Raspberry Pi computer. As the operating system for the Pi sits on a removable memory card, Mr Helme was able to download the device's core code so he could examine it closely.

This allowed Mr Helme to run it as if he were the administrator for the device. He discovered that the software packages it used to handle mail were not proprietary and many were very old versions, five years old in one case, harbouring unpatched security bugs. Default passwords found in the code included "password" and "death".

Mr Helme also found many problems with the web interface Nomx uses to administer the secure email service. This was vulnerable to several widely known and easy to execute attacks that, if exploited, would give attackers control over a target's Nomx system.

He also found a way to create a hidden administrator's account on the Nomx box that would allow any attacker to fully compromise the gadget.

In addition, Mr Helme found more than 10 other issues with the Nomx box that left him "horrified" by its approach to security.

The analysis was reviewed by Paul Moore - an experienced tester of secure hardware.

Mr Moore said the Nomx was an "overpriced and outdated mail server" and used one of the "most insecure PHP applications" he had ever encountered.

In an emailed response to Click, Mr Donaldson thanked Mr Helme and Prof Woodward for finding and sharing information about Nomx's vulnerabilities.

Addressing the issue of old software, he said Nomx planned to let users choose which updates should be applied to their device.

"We will selectively allow users to pick and choose when that becomes available but today we're not forcing any types of updates," he said, adding that updates can introduce vulnerabilities.

"Updates actually cause a cascading effect and now you're patching patches and that is not a good place to be in," he told Click.

The default names and passwords found by Mr Helme were used to make it easy for customers to set up their device and they were encouraged to change it afterwards, he said.

Mr Helme said the set-up process for the Nomx was far from easy and at no point was he told to pick a new password.

Late on 27 April, Nomx published a strong defence of its product and disputed the way in which Mr Helme tested the device. Mr Donaldson said Mr Helme's tests were unrealistic, as they involved actions no typical user would undertake.

Nomx said the threat posed by the attack detailed by Mr Helme was "non-existent for our users".

Following weeks of correspondence with Mr Helme and the BBC Click Team, he said the firm no longer shipped versions that used the Raspberry Pi.

Instead, he said, future devices would be built around different chips that would also be able to encrypt messages as they travelled.

"The large cloud providers and email providers, like AOL, Yahoo, Gmail, Hotmail - they've already been proven that they are under attack millions of times daily," he said. "Why we invented Nomx was for the security of keeping your data off those large cloud providers.

"To date, no Nomx accounts have been compromised."

The BBC Click show dedicated to this investigation will air on 29 April on the BBC News Channel and iPlayer, where it will also be available afterwards.