Totally secure. Sounds like a challenge to me over the last few years, billions of e mail accounts have been hacked. Has yours . Last year, yahoo announced that over 1. 5 billion e mail accounts were compromised between 2013 and 2014, the largest breach in history. Then it emerged that Russian Hackers had gained access to 60,000 e mails from Hillary Clintons president ial campaign. Some believe the resulting leaks helped swing the election for trump. And what it certainly did reveal is something most of us already knew. We send, each of us, all the time, hugely personal information around the internet. Information that wed like to keep private, but others are all too often able to see. So how about something that guarantees to protect all of those e mails . Sounds like something you wanna have, doesnt it . Well, this is nomx, a box which promises to secure your e mails 100 . It was at ces that we came across this device as it was introduced to the world and it caught our eye. I met the boss, Will Donaldson, who has impressive Security Credentials himself. Hes worked in Computer Security and built Web Applications for the pentagon, the marine corps and he was chief Technology Officer for the f35 joint Strike Fighter communications facility. So does he think is wrong with bog standard e mail . Well, the nomx promotional videos explain the problem. When you send an e mail, copies of the message end up on several Internet Servers along the way. Will says all of the recent big e mail hacks have involved one of these servers being compromised and whats more through a known vulnerability. So those vulnerabilities, weve identified six core ones that encompass 100 of hacks that have occurred to date. Wills solution is a 199 box that acts as your own personal E Mail Server. Itll talk to other e mail services, but where it comes into its own is when it connects directly to another nomx box at the other end, the pair of them replacing the cloud servers that your message would usually flow through. That means no copies are stored anywhere but on your box and the recipients. The idea has caught the imagination of some in the Security Industry, whove called it a Personal Cloud On Steroids and will himself has become a bit of a star, being interviewed on Us National Television and elsewhere in the media as a security guru. So what youre pitching here is that you can make a black box, that black box there, that is more secure than a Multibillion Dollar compa nys servers . Absolutely. Its been proved theyre vulnerable, my question is to you is, youre not a Multibillion Dollar company. Not yet. Why should i believe that your security is any better than theirs and why should i believe that there are no vulnerabilities that you have accidentally left in your box . What weve done is identify the categories of those vulnerabilities and all of the hacks have occurred have been in those traces vulnerabilities. By removing them from the equation, weve now negated them on our protocol. So the theory sounds a good one, avoid making multiple copies of your messages across potentially vulnerable servers on the internet. You just have to rely on the nomx boxes themselves not being open to hacking. Well. You all know this man, dan simmons, one of clicks most experienced reporters and famously, if someone says something is unbreakable, you try and break it . Yeah well look, often on this programme we look at new things and we are as excited as anybody else to see them, but sometimes just sometimes, something seems a little bit too good to be true and absolute security, ive never heard anyone in the Cyber Security industry promise that, but thats exactly what this company are doing. So to prove a point, youre going to try and hack this box . Yes. I think ive found somebody who may be able to do it. 0k scott helm is one of the uks most respected professional white hat hackers, or penetration testers. Hes helped discover some big Security Flaws in the past, including Hacking Home Routers and electric cars. Scotts had the nomx box in his hands forjust a few minutes and hes already suspicious. Hey, scott. Hows it going . Howd you get on . Good, yeah. Ive had a look over this device and i was quite surprised when you first gave it me. So when i flipped it over, we saw what we call the mac address here, which is the devices unique identifier and these first three segments identify the manufacturer, that tells you who builds the device. So i went away and i looked these up and theyre actually registered to the Raspberry Pi Foundation that make the raspberry pi computer. Thats the hobbyists computer weve seen on click. The credit sized device. But nomx is the manufacturer, right . Yeah. So what i did, i went ahead and opened this up and what we found inside. If i canjust open these parts here. Is there is in fact a raspberry pi inside this, which is white felt, all white. Wow. Theres nothing else theyve done with this that we can see inside. That is just a standard £35 raspberry pi. Correct. But what does that say to you when as a security guy when you look inside . I guess, there are further things to be found here that may surprise us. Ive also asked professor alan woodward, a well known Cyber Security expert, whos advised the uk government and europol to take a look at the nomx box to see how it works. So, how have you got on . Well, already through the set up process, theres a few things for a product that bills itself as being absolutely secure, theres a few things that we found that give rise for concern. And we certainly want to look a bit further into it. Just plugging it in has sent alarm bells ringing for alan. The set up of the device is through a Web Application that wasnt particularly helpful. It doesnt ask alan to open up port 25. Now, thats a key port on his router he will need to communicate with popular E Mail Servers like gmail or microsoft accounts. Its never going to receive e mail from an external service. Unless you change your router . Unless you know to go to your router and change port 25. And does it tell you that . No, it doesnt, the documentation doesnt have it in there. It tells you all these other ports, but not port 25. So youre having a quiet life for a few years to come receiving no e mails at all. But it gets better. Hotmail instantly knows that youre sending it from a domestic ip address. Its whats called a dynamic address, because it changes. Its not yours for life. Every time you turn your router on you get a new one. It spots that and says, we dont accept e mails from dynamic addresses. Because theyjust assume nobodys going to be running an E Mail Server on a domestic system like this. So this box cant send an e mail to hotmail . To any hotmail address . No. And if you try and send it to Something Like gmail, then what happens is, because of things like the way hotmail spots it, as youll see there, we are actually blacklisted already. Spam house, which is one of biggest spam filters, says this is a spam box. Its blacklisted us. Now, to be fair, nomx doesnt open port 25, it uses port 26. But as weve seen, without 25 open, its going to be difficult to hear from the rest of the world. Well, bearing in mind its got one job to do, which is to be an E Mail Server, thats a pretty poor show. And there were more surprises to come when alan opened the box. One of the Simplest Machines to break into is a raspberry pi. Everything is on this one little card. Its on one of these tiny little cards. So all of your e mails, all of your software, everything is running on one of these tiny little cards. Now, actually, if somebody did have physical access to this what they could do is they could whip that card out, copy it, put the card back in, put it all back together and youd be none the wiser and theyve got a copy of everything, including your e mail. Because one of the things about this is its not encrypted in any way on the card. This is not using any encryption . For storage, none at all. And what we did was, you said the simplest thing to do, because it is a complete raspberry pi, the simplest thing to do was actually plug it into a monitor and see what came up. So this is an hdmi. Hdmi cable. Here we go. The first concern would be if it is actually Running Raspberry Pi as an operating system, which it is, it immediately tells you it is. Postfix is the mail transport agent, thats part of thE Mail Server. It wasjust all totally standard stuff. So how old is the software on there at the moment . Well, thats another thing that we found, which was really. I would say alarming. In that its so old we couldnt actually get hold of some of the software. Its Running Raspberry Pis own operating system. Its a version called wizi, which you can no longer download from the raspberry pi website. Theyve taken it off because they dont want people downloading it, its that old. Likewise all this postfix admin, there is another another piece of software called dovecot, all of which are free bits of software, but some of it dates back to 2009. Its inevitable that people will find bugs, flaws, in any bit of software and what people do is they release a later version with the bug fix. The problem with the way this is put together is there is no way of doing that. There is a whole series of things about the way this is put together that make you think, absolute security is. A stretch. Now, it is important to say at this point, there is nothing wrong with the hardware or the software that youre talking about per se, raspberry pi is fine, the software used, postfix, admin, isjusta piece of off the shelf software. Yes, i mean the raspberry pi is a great bit of hobbyist kit and postfix, as in the other programmes we have looked at, they do the job, if youve got the latest versions of them. But this box doesnt run those. By a mile it doesnt run those. Theyre still selling this box right now as a finished product . It was being sold when you were testing it . Absolutely, and as were filming it is today. 0k, youve studied the box, what next . Well, surprise, surprise, scott thinks he can hack it. So i thought, yeah, 0k, fair enough, go ahead and well film it. So to start with, we decided to get a second box in, just to make sure this one wasnt a prototype or there was anything dodgy with it and that came along in the post. Right, got a letter from nomx to say, dear dan, as per your request i have enclosed another device for you to use in your bbc click programme. There you go, scott. See what you make of it. Lets see. So, we appear to have some instructions in this one. Thats the first one, isnt it . Yes, the original device. They do appear, it appears the same. So that, if its the same, its not going to be a prototype. Yeah, so this is what we are looking for are the additional ones theyre accepting the same. Looking at the mac on the bottom, it appears to be a raspberry pi as the last one. The hardwares identical, so scotts using a programme called meld to check if the software is the same too. Its showing us that theyre virtually identical with a couple of minor changes that dont change the operation of the box. Theyre actually using the same user name and password on all devices, which is printed just there in the manual. So this is admin and example. Com and the password is password. And do they tell you to change that. 0bviously they do . No. They dont. Its not in the instructions and when i log into the device it also doesnt tell me to change it. So all these high security boxes have the same admin log in and password. Yes. Which is password. Its a fundamental flaw in security. You cannot have a weak password and a default password, and this is both, and leave it on the device. We should force the user to set their own password so that every device in the world has a unique password. Because otherwise, because werelazy, arent we . We would just leave that as password, because ill remember it. Yes. Look at this, here we go. You have one of these at home, it is just a normal router. This is 7f7f, a pin on here thats unique to this device. Heres another device that i might plug in. That has its own unique pin. You pick up one of these nomx boxes, theres no pin on here, apart from the security through the web server, which is obvious the password. Password. And knowing that, has opened a door for scott to deliver a package of his own. If users havent changed their password, then scotts Malicious Software will hand him control of their e mails. So this the picture of the cat, there is the picture of stevejobs and those two things go in to this page. All hes got to do now is persuade unsuspecting users to open it. Completely unrelated, im going to show you this funny web site. Top ten funniest pictures of your pet. And what im going to do now is im going to go back to the nomx device and if i scroll down, how many E Mail Addresses are registered on this device. You have got two. Where did that one come from . That one was placed there by the web site with the pictures of cats and dogs on that we just looked at. But what this actually does is launch something called a Cross Site Request Forgery attack. Now when i visit this web site, while im reading this article, it is attacking the nomx device. I can do anything that i want on your nomx device, simply by you visiting this page. We then went back and looked at these older versions of the software and this this is a fault thats been record over many years. Wow so they have in fact notjust nomx, but everyones known about this. Yes. Possible problem. Time for a cup of tea. Now, remember nomx claim to have the worlds most secure protocol, offering absolute security and they even take issue with with Services Like gmail and microsoft, saying Everything Else is insecure. But weve just discoveredhow to hack these boxes in a really simple way. The things i found are in the 0s top ten, they are and have been at one time the most common vulnerabilities found in the web. We have platforms that we look at. When you teach people how to develop Web Applications, you say, these are the things you need to check for and its the top ten things you tell them to look for. Is this a Schoolboy Error . Yeah, for a company thats making claims about absolute security, then they should have been aware of the the 0s top ten and run that list against their application. Would you want one . No. I wouldnt pay folding money for it. I cant see how they can patch it and protect their consumers. Thats my concern. I cant see how they can look after the people that have been put at risk and currently are at risk and always have been at risk. This risk has always existed. We just didnt know about it. All weve done is find it. And bring to it life. I cant see how they can protect those people, other than telling them to unplug the device and stop using it. Now its worth saying that users who had changed their admin password wouldnt have been quite as vulnerable to this attack. So scott wanted to go further and found this key lying around in the code an identical key on both nomx boxes. These innocuous looking two lines are the Master Password for the whole system. It shouldnt be in full view when analysing the code on the box, but, hey, it is. Now, it looks like gobbledegook, because this is the Master Password in encrypted form known as a hash. And it is useless to anyone. Unless you can crack it. Scotts got some shall we say resourceful friends, but the fact the Master Password is a five letter word all in lower case made it easy. A simple Dictionary Tack took less than ten minutes to decode it and now scott has the keys to the castle. It doesnt matter now if users have changed their admin passwords from password, theyjust need to click on the kittens. You dont have to visit this malicious web site on the machine that youre administering the box with. Itjust needs to be another machine thats on the the same network as that box. So your teenage daughter, for example, or anyone else, granny or whatever, could get this message, click on the cute furry kitten and it is curains. Exactly. One of the scary things is if i know your E Mail Address, i can actually change the passwords for your E Mail Address and then immediately log into your e mail account, so i can effectively hijack your account and take full control of it. Thats not even the worst part. I can effectively almost wire tap the device and see everything that you send from that point on. Alerting a Company Quickly that they have a Security Problem is best practice for ethical hackers. So scott sends an e mail to warn nomx its users are vulnerable to attack. Right, so its not absolutely secure then . No. Not if that happens, no. What did the company say about that. They say scotts hack is a proof of concept. Well, scott says it is a proof of concept. Thats the only hole, they havent actually hacked anyone yet. The idea of Ethical Hacking, white hacking, is to tell the Company First that they can do something about it. And the clock is now ticking. Scotts given them 30 days to sort this out, before he says he will publish the details of the hack. But nomx has no way of updating its boxes, so how can it possibly patch this problem . Good point 30 days are up an