Japan to Hunt Down Citizens’ Insecure IoT Devices

Japan will carry out a “survey” of 200 million deployed IoT devices, with white-hats trying to log into internet-discoverable devices using default credentials.

The Japanese government is taking the problem of insecure IoT devices into its own hands, with what some say is an audacious plan to carry out wide-scale penetration testing on its citizens’ gadgets.

The country’s National Institute of Information and Communications Technology (NICT) has been tasked by the Ministry of Internal Affairs and Communications to carry out a “survey” of 200 million deployed IoT devices, starting with routers and web cams. A team of NICT white-hats will try to log into internet-discoverable devices using default credentials and a list of overused and easy-to-guess passwords.

When insecure devices are uncovered, ISPs and local authorities will be notified, so they can work with impacted consumers and businesses to lock them down.

Japan is taking this step – scheduled to start in March – ahead of hosting the Summer Olympics next year in Tokyo. The Ministry of Internal Affairs and Communications has said that attacks on IoT devices accounted for two-thirds of all cyber-attacks in 2016 – a state of affairs it expects to ramp up as hackers potentially look for ways to disrupt the Summer games.

There’s precedent for the concern: The Olympic Destroyer malware famously impacted the opening ceremony of the Pyeongchang Winter Olympics held in South Korea last year; while attribution and motivation is murky at best, the “Hades” group behind the malware continues to attack a range of targets. Beyond the Olympics, another concern is the development of destructive IoT botnets like the VPNFilter scourge, which can install rootkits, exfiltration capability and wiper malware on its targets. And, Mirai and similar botnets have shown that IoT botnets can be incredibly effective at large-scale DDoS attacks.

Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposure Research Team, pointed out that there are other worries around compromised IoT footprints as well.

“The risk of wide-scale IoT compromise may also extend beyond the internet in some circumstances,” he said in an email. “An attacker with control over enough smart outlets, thermostats or appliances could likely disrupt critical public services like energy, water and sewer services by creating sudden spikes in demand to overwhelm infrastructure. Does anyone really know what will happen if a couple hundred million lamps are turned on and off simultaneously across a nation? What about if an excessive number of thermostats are suddenly set to the extreme?”

He added, “Although it may turn out to be an unpopular opinion, I think this is a reasonable action by the government of Japan.

From a security perspective, Japan’s plan may indeed make sense, given endemic issues with users not changing their default credentials for IoT devices and not updating firmware, plus the fact that security-by-design is still not common and that it’s difficult to tell if a device is even compromised.

“Since the IoT industry is in its infancy, almost all of the devices have the potential to become cybersecurity risks. In a rush to get them into the market, most manufacturers are ignoring the security side. From this point of view, the Japanese government’s concern has merit,” says Daniel Markuson, digital privacy expert at NordVPN, via email.

Japan’s citizens see things a bit differently, however, according to reports of widespread privacy concerns among consumers. As Markuson noted, “It seems as an excessive measure, as the same results could be achieved by sending a security alert to all users or informing people via media. It is also not completely clear what other sensitive data might be collected during the survey and how it will be handled.”

However, Young took a different tack: “In my opinion, the question about whether this is a government invading its civilian’s privacy is misguided. Without any action, these devices remain vulnerable and may be accessed by anyone with the will to find them. The question then is whether it is preferable to have someone from the government find and notify civilians about insecurity or to leave these systems for those with malicious intent to find.”

Suggested articles