Why you shouldn’t trust the “world’s most secure” email service

If something seems too good to be true, it probably is.

In the cybersecurity world, if something is said to be “unhackable” or provides “absolute security,” you should run for the hills, because — spoiler alert — there is no such thing as “absolute” security.

Anyone who tells you otherwise is stupid enough not to know, or smart enough to try to lie.

Enter one security startup, Nomx, an Arlington, Va.-based hardware maker founded by chief executive Will Donaldson, which builds (in his words) the “world’s most secure” email service. The company promises “absolute security” in its email-in-a box offering for anyone who buys the $199 device.

But those claims were refuted by two leading UK-based security researchers, commissioned by the BBC earlier this year to examine the Nomx device.

Scott Helme, a security researcher, and Alan Woodward, a professor at the University of Surrey, found several flaws in the device, which turned out to be built around a homebrew Raspberry Pi micro-computer. Helme and Woodward found a litany of serious flaws in the easily hackable device, which they said can lead to a “full compromise.” An attacker can “read, delete, and send emails” from the device with a simple cross-site request forgery attack, in which a malicious website can trick a computer into running malicious code, said Helme in a blog post.

Their findings were later independently reviewed by Paul Moore, an information security consultant.

Nomx, however, disputed the research in a statement on its website, arguing that the kind of simulated attack is “not an action a typical user would do.”

“No Nomx devices, accounts or data was ever compromised and the blogger could not show any evidence of such actions,” said Nomx’s website.

But the company’s rebuttal doesn’t stand up, nor can it substantiate its counter-claims — while leaving more questions than answers about the device’s (lack of) security.

“I guess ‘total compromise’ is subjective,” said Helme in a message. “Some people expect you to pop a shell, but to me, such extensive control over your emails, which is the point of the device, is ‘total compromise’.”

Woodward agreed, telling me in a message that the Nomx device is “compromised to the extent that anything an admin user can do on the box, an attacker can do.”

True, both Woodward and Helme said that it’s not known if any customer Nomx devices have been compromised. Woodward said that the whole point about ethical hacking is that “you hope to work with a company to close vulnerabilities before users are damaged.”

“We were asked by the BBC whether we could say if any box had been compromised,” said Woodward. “We said we obviously couldn’t confirm that. It was this that Will Donaldson too out of context and moline that we had accepted the box was secure.”

When pressed, Donaldson repeated his claim in an email that none of his customers have been compromised, but he provided no evidence to back up his claim.

Instead, he said: “If you have any reports, issues, claims or statements that counter what I’ve said I’d like to see them and their source.”

With no way to remotely access a device (despite the fact that each device has an undocumented login account), Donaldson has no way to check the logs to see if any Nomx device has been compromised. Woodward and Helme only released their findings after Donaldson said that “no user was now at risk and all boxes had been exchanged or updated,” but because the researchers found no update mechanism on the device, there’s no way to patch the vulnerabilities even if Nomx had released a patch — of which there’s no evidence to show one has even been released.

In an email, Donaldson made several grandiose, bizarre, and unsubstantiated claims, among which he said that many mainstream email providers are “compromised daily.” He added that former Democratic presidential candidate Hillary Clinton “would have been president” had she used one of his email boxes.

But Donaldson did not answer our specific questions — particularly how the company plans to improve the device’s security following the disclosure. Instead, he referred to his website’s statement to address questions relating to the device’s security.

When he repeated his claim that he “no users were affected by this vulnerability,” we asked how the company came to that conclusion — which is when he stopped responding to our emails.

Donaldson’s attempt to counter the researchers’ fact-based narrative collapsed in the face of too many unanswered questions. Instead, Donaldson took a page out of the spin playbook by taking his website to boast a headline that claims Nomx “passes” security, a day before BBC Click aired its investigation.

Moore, who reviewed the researchers’ findings, tweeted: “You didn’t pass at all. Far from it.”

Like any security product, extraordinary claims require extraordinary evidence. And while Nomx may have bravado, it’s promises just don’t stand up.

Employees will hand over work passwords to hackers for money