• by Jess Nelson , April 28, 2017

A DIY private email server touted with the tagline “everything else is insecure,” is actually riddled with security holes, according to a team of BBC researchers.

With a starting price of $199, nomx is a device that helps users set up their own private email server so that emails are kept away from mail exchange (MX) servers.

After seeing the product displayed at the Consumer Electronics Show (CES), the BBC reached out to Professor Alan Woodward at the University of Surrey department of computing to test nomx’s security claims. Professor Woodward worked alongside security researcher Scott Helme, who later posted a thorough product review of nomx on his blog that outlined several security flaws he had discovered.

As it turns out, nomx is built on a Raspberry Pi with seriously outdated software -- dating back to 2012. Helme found several bugs on the device and discovered that the Web app was vulnerable to cross-site request forgery (CRSF) attacks, making nomx vulnerable to hackers who can take control of the device by tricking a user to visit a malicious Web site.

“It would be very easy to conclude that this is a scam,” writes Helme. “The device is running standard mail server software running on a Raspberry Pi, most of which is outdated. They have presented at countless tech shows and can be constantly found making bold statements of 'absolute security' yet didn't pick up a CSRF vulnerability in their web interface.”

nomx dismissed the BBC research in a lengthy post online, saying that no nomx account had ever been compromised. The company also asserted that newer nomx devices don’t use Raspberry Pi, but offered no details on how many vulnerable devices might still be being used or whether a security patch would be released to mitigate the concern.

The BBC plans to air the investigation Saturday on the BBC Click show.