I would recommend changing this link to the linked writeup by Scott Helme:<p><a href="https://scotthelme.co.uk/nomx-the-worlds-most-secure-communications-protocol/" rel="nofollow">https://scotthelme.co.uk/nomx-the-worlds-most-secure-communi...</a>
I've always said consider any product, even a security product, insecure by default until proven otherwise by careful inspection by people who know how to find flaws. This was the recommendation of those that invented information security. It was best approach then. It's still the best approach.
The nomx response was here yesterday. Apparently the guy flashed the SD card, rooted the device and used a payload written by a friend.<p>According to their account none of this was reproduced w/ an off the shelf device rooted by nomx and placed on a network not 100% controlled by the attackers for the challenge