27 April 2017
- UK blogger makes false claims he can access nomx remotely
- UK blogger fails to access nomx remotely
nomx is pleased to provide the following details regarding testing recently performed by a private cybersecurity blogger who claimed he could access any nomx device and that he could do so in minutes.
In 2016 nomx produced a number of devices based on a Raspberry Pi. These devices were primarily used for demonstration and media use, and were provided to numerous media to review nomx. A number were sold to early adopters who wanted to try nomx using this processor instead of waiting until future models were manufactured.
In January 2017 the BBC was provided a demo device for use in a forthcoming episode focused on personal security. The BBC later requested another device and that too was a Raspberry model.
Security Testing of a Rooted nomx Device:
The BBC provided the nomx devices for testing to a UK-based blogger who physically disassembled and rooted one of the nomx devices. Rooting was done, in his words, by disassembling the nomx case, physically removing memory card from the Raspberry and inserting it into his PC, and then resetting the root password. That is not an action a typical user would do, nor is it routine for a nomx device.
This process allowed him to access the nomx from his local network. He then created a very specialized code that was unique to the management page of the nomx device he had in his possession.
This code originated from a Cross Site Request Forgery, requires users to click a link or visit a hacked website, and that link then performs actions from the users’ browsers when it downloads the package from the Internet.
Contrary to the blogger's claim that this was an easy, simply hack, in fact, the blogger couldn't make the code work and requested other participants to support his attempts and publicly stated so on his blog. The "payload" he developed was from a third party named Paul.
After he created the code, he loaded it to his own webpage to target the nomx device he had previously rooted and was in his possession and on his own network. He then simply modified the nomx data through a website link that he clicked himself to download the "payload" he created. The act of the attack would require very detailed information about the local nomx device and a subsequent phishing link sent to the proposed victim, or visiting a third party compromised website, and the victim must have been logged in to their nomx device initially and then accept the phishing link or visit the compromised website.
Further, the code requires that the user would repeat this action every single time they wanted to do each command (i.e. list accounts, create an account, change password, download mail, change password back to original password, and then additionally to “clean up” their tracks, remove log files, etc.) It simply could not occur in the real world and we proved that against the blogger’s attempts to do so (see below.)
nomx believes based on the actions of the blogger, his rooting of the device and specific code used that the threat was nonexistent for our users, even if they were to have an earlier versions and code, or which used a Raspberry chip. We informed our users of the risks of visiting third party websites while logged in as management or after logging out, but keeping web browsers open. Users could also check log files and validate if any such access occurred. No nomx devices, accounts or data was ever compromised and the blogger could not show any evidence of such actions. And 100% of the nomx users are satisfied with the nomx disclosure and actions in this event.
We were also notified by the BBC that we did not believe the blogger was being fair or accurate in his findings, because no nomx devices were actually compromised or could be compromised unless the users were to take those steps, which could not occur in a real world situation outside of the lab and was proven by the blogger himself, who failed to do so.
When confronted with these details, the blogger began to make statements that nomx was not as secure as we have promised. To counter the claims of the blogger, nomx invited him to perform such an attack on a live nomx device that was not previously rooted by a user and not located on the same network as the attack. We provided that offer through the BBC and the blogger has agreed to test the nomx devices in a fair manner.
The Testing of nomx in the Real World:
On April 26, nomx provided an email to the blogger from the nomx device with details and requested he hack the nomx device that submitted the email. These emails were also submitted to several interested media, including the BBC, who validated that the device was active and sending/receiving email. The blogger had previously claimed he could compromise the device “in a matter of minutes” but was not able to perform any such feat at any time. In fact, the blogger was not able to do anything at all, counter to his claims that he could, or that others could, and that it was very easy, and that it would affect nomx’s security.
An associate of the blogger who represented the claims publicly stated through media Twitter announcement that they would not participate in any tests, unless they could have physical access to the device in a network they choose. That is not what they originally claimed and demonstrates that their "simple 3-4 minute hack" is not real.
After confirming that they would not participate, we concluded our test with the blogger today and his partners and notified the media as well that this was the outcome. We are forensically examining the device to verify if in fact they attempted to log in to the device, countering assertions that they would not even try.
Regardless of the rhetoric and claims, to date, neither this blogger, his partners, or anyone else, is or was able to access, modify or even retrieve any data whatsoever on a nomx device even with all associated internal details. The only person ever affected by his claims was the blogger, by putting himself in the unique situation that he created, while attacking a device on his own network and in his possession, using code he created (with the help of others, as he discusses on his blog) on a device he rooted himself.
After multiple statements about the lack of security of nomx, the blogger failed to prove any such vulnerability and indeed, failed in his accusations that he could penetrate nomx in any way.
No nomx user was affected by this threat. No nomx user could be affected by this threat in the future. No nomx data was compromised, and the blogger has (finally) reluctantly verified this. He still has not publicly shared these statements, except via an email response to the BBC when directly asked on April 25 the response was:
From the BBC to nomx: "I understand from your replies that you state categorically that no nomx accounts have been affected by this hack. I have put your questions to [blogger] who has confirmed to me that he cannot say that any have."
While nomx is no longer based on Raspberry devices, we still maintain that the users' data is secured as we’ve demonstrated to the blogger, the media and our customers.
We request that any media desiring to profile nomx security or this blogger to use this website with attribution to nomx (www.nomx.com) and to also include the statistics below. Due to large number of interested media, we are not able to respond to every reporter directly within the deadlines imposed and believe it is only fair to share with all media these same details. We invite all media who care to see on onsite demonstration of the nomx in action request and schedule a time in the Washington, DC or NYC areas in the coming weeks. We will provide a nomx and allow video, use of the nomx and any third parties to attempt to access the device.
For Media - Some statistics:
Number of nomx accounts that have been compromised since inception: 0
Number of other cloud-based emails compromised as of 2016 = 272 million
Number of Yahoo accounts (including email) compromised 2013-2016: more than 1 billion
nomx is now finalizing nomx 2.0 servers that also includes an internal nomx email server, and a host of other servers that maintain users’ personal data off the clouds that are regularly attacked daily.