Skip to content

nomx: The world’s most secure communications protocol – BBC Click


A great episode of BBC Click – detailing the security breaches of a super secure email server, which runs (I’m not joking) on a Raspberry Pi.  Yikes.

I was recently invited to take part in some research by BBC Click, alongside Professor Alan Woodward, to analyse a device that had quite a lot of people all excited. With slick marketing, catchy tag lines and some pretty bold claims about their security, nomx claim to have cracked email security once and for all. Down the rabbit hole we go!


You can find the official nomx site at and right away you will see how secure this device is.

nomx main site

Now, I’m not sure how someone is supposed to edit this PHP file right now because I can’t see the SSH instructions anywhere nor can I see the setup password anywhere either. To save you all the trouble I extracted the hash of the original password whilst I had SSH access and you can see it here:


It turns out this was pretty easy to break after I had a quick dig in the source to see how they generated the hash.

function generate_setup_password_salt() {  
    $salt = time() . '*' . $_SERVER['REMOTE_ADDR'] . '*' . mt_rand(0,60000);
    $salt = md5($salt);
    return $salt;

function encrypt_setup_password($password, $salt) {  
    return $salt . ':' . sha1($salt . ':' . $password);

Soooo, yeah. I also had a dig around in the config file and stumbled over this which is used during the setup process.

$CONF['min_password_length'] = 5;

Anyway, the main point for now was that I managed to crack the setup password, which was death, with a quick tweet asking for help or I could have set my own if I needed so I could create an account and login to the device.


The master password for the whole system is “death”.

Undocumented admin account

After delving into the database on the device and browsing through a few tables, I saw something that horrified me. There was another admin account alongside my own that I hadn’t created.

mysql> select * from admin;  
| username               | password                           | created             | modified            | active |
|      | $1$d2242313$UJ6TolBZXSQQvrXvlMZO2/ | 2015-10-10 18:31:30 | 2016-10-24 21:35:46 |      1 |
| | $1$7d33f257$qxWGsOPg1PX6Axu.NoNaK0 | 2017-03-13 17:24:05 | 2017-03-13 17:24:05 |      1 |

I extracted the hash and posted it to Twitter to see if I could crowd-source the input and it didn’t take very long for someone to come back to me with the answer.

The password was, quite literally, “password”. Sure enough I immediately opened up the web interface and I could indeed login with the username and the password password. I had full control of the device. This is inexplicably bad for more reasons than I care to list but coupled with the above CSRF attack I now don’t need to depend on the user to be logged in to the device to perform administrative functions, I can simply login to the device with these admin credentials and do anything I like. All this requires is two simple iframes on a page.


Well done BBC Click!

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: