Abstract. My name is Oriol Rius and I’m co-founder and CTO in NEXIONA®; my passion about technology started when I was 9 and I coded in “Logo” I was amazed when a robotic turtle was moved painting in a paper what I did coding. At 14 I started working on Unix systems and very early I found a lot of insecurities in those operative systems. After a lot of years penetrating in systems and helping banking companies to protect their systems I discovered there were something more exciting than penetrate into a system, create your products and live doing it. Using my experience on security in this document I’ll try to summarize what happened with DDOS attacks to important Internet sites using IoT hardware.
First of all I’ll introduce some basic concepts and finally I’ll explain what happened with the DDOS attack on Friday October 21st?
There are more complex security issues. But simple details like those are more than enough to start with something really dangerous.
Worm and Botnet
A worm is a computer program that looks for vulnerable systems on the internet, it tries to replicate itself, propagating through security breaches. When a system is infected with a worm it becomes part of a Botnet. These infected systems are also called ‘Zombies’ because they continue working, but they are now remotely controlled by attackers. Attackers use these botnets to launch cyber-attacks.
DDOS stands for Distributed Denial of Service; in computing we refer to a denial-of-service attack when a cyber-attack tries to make a service unavailable. Usually this is done by overwhelming that service beyond the capacity of its server.
A simple example: Imagine a shop that receives so many customers at the same time that it is unable to cope with the sudden increase in demand and has to close its doors.
In the Internet these customers come from all around the world, and in DDOS the word ‘distributed’ means that a lot of requests are made to enter the service at the same time from multiple locations. This makes it very difficult to distinguish between those who really want, and need, the service from those who are attacking the service. In consequence the service is overloaded and shuts down. This is what was observed last Friday in services such as Netflix, Paypal and many more.
What happened on Friday October 21st?
A DDOS attack against a very important DNS provider left well-known websites without their DNS service. DNS is used by all Internet services to convert Internet addresses, understood by humans, to network addresses, understood by ‘machines’.
Putting it simply; when you type the name of a web page into your browser your computer requires DNS servers to convert that name into an Internet address to get the service. If that DNS service is not available the service cannot be reached.
The real truth behind last Friday’s attack; who were the authors?, what were their motives?, what techniques did they use? are still under investigation. As to the origin of the zombies, everything points to cheap IoT devices, such as security cameras, widely deployed around the world and many still with their default user id and password left unchanged. This allowed for a botnet to be created which the attacker used to launch a DDOS attack targeting a very important DNS provider called Dyn. Dyn is home to the DNS services of: Twitter, Netflix, Spotify, etc., all these services were unreachable for some hours.
When software is running embedded on hardware we refer to it as firmware; the most common vulnerabilities in the IoT are due to firmware and caused by manufacturers or technical personnel who:
- a) set up a network of sensors and ignore the potential security risks in the protocols used to transport sensor data.
- b) ignore common best practices regarding network security.
Closely managed private IoT platforms can have security breaches but they are typically managed and kept up to date with the latest security patches by Security Engineers from the company that developed the software. The real challenge, presented by IoT, is how to protect huge networks of completely unattended and unmanaged devices.
At NEXIONA® we provide remote support and maintenance processes which allow us, and/or our customers, to respond to, and fix, security vulnerabilities well in advance of them becoming public. In addition, our sensor networks are linked using VPNs and data is transported via secure channels. Anything, anywhere, secure.
Because we’re really committed with security we’re also working on getting the ISO 27.001 certification about the security of the information that we, and our software, manage. So, combining all of the above, it’s easy to understand how we are able to confidently state that, in this fast changing world of security threats, NEXIONA® can be trusted to deliver world class security for cost efficient devices.
In a nutshell:
NEXIONA® insists on best practice; remote support and maintenance ensures all deployed systems are constantly kept up to date with the latest security patches and the use of VPN across sensor networks ensures secure transport channels,
NEXIONA® solutions have security designed in; we install firmware to our own design and security specification, security certificates are applied at every stage of the system meaning there are no default credentials and two factor identification and one time passwords are used in connecting to ‘things’. Security is applied across multiple aspects of every NEXIONA® solution.