The Japanese government approved a law amendment on Friday that will allow government workers to hack into people's Internet of Things devices as part of an unprecedented survey of insecure IoT devices.
The survey will be carried out by employees of the National Institute of Information and Communications Technology (NICT) under the supervision of the Ministry of Internal Affairs and Communications.
NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers' IoT devices.
The plan is to compile a list of insecure devices that use default and easy-to-guess passwords and pass it on to authorities and the relevant internet service providers, so they can take measures to alert consumers and secure the devices.
The survey is scheduled to kick off next month, when authorities plan to test the password security of over 200 million IoT devices, beginning with routers and web cameras. Devices in people's homes and on enterprise networks will be tested alike.
According to a Ministry of Internal Affairs and Communications report, attacks aimed at IoT devices accounted for two-thirds of all cyber-attacks in 2016.
The Japanese government has embarked on this plan in preparation for the Tokyo 2020 Summer Olympics. The government is afraid that hackers might abuse IoT devices to launch attacks against the Games' IT infrastructure.
Their fear is justified. Russian nation-state hackers deployed the Olympic Destroyer malware before the opening ceremony of the Pyeongchang Winter Olympics held in South Korea in early 2018 as payback after the International Olympic Committee banned hundreds of Russian athletes from competing.
Russian nation-state hackers also built a botnet of home routers and IoT devices --named VPNFilter-- that the Ukrainian intelligence service said they were planning to use to hinder the broadcast of the 2018 UEFA Champions League final that was to be held in Kiev, Ukraine that year.
The Japanese government's decision to log into users' IoT devices has sparked outrage in Japan. Many have argued that this is an unnecessary step, as the same results could be achieved by just sending a security alert to all users, as there's no guarantee that the users found to be using default or easy-to-guess passwords would change their passwords after being notified in private.
However, the government's plan has its technical merits. Many of today's IoT and router botnets are being built by hackers who take over devices with default or easy-to-guess passwords.
- Japan reportedly will stop buying Huawei, ZTE equipment (CNET)
- The Japanese government plans to hack into IoT devices (TechRepublic)
Hackers can also build botnets with the help of exploits and vulnerabilities in router firmware, but the easiest way to assemble a botnet is by collecting the ones that users have failed to secure with custom passwords.
Securing these devices is often a pain, as some expose Telnet or SSH ports online without the users' knowledge, and for which very few users know how to change passwords. Further, other devices also come with secret backdoor accounts that in some cases can't be removed without a firmware update.
We'll be monitoring this survey in the coming months and plan to report on its success or failure.
ZDNet would like to thank our reader Autumn Good for this tip.
- Japan is desperate for Indian techies, but will they bite?
- Japanese cybersecurity minister finds computers a mystery
- Japan makes visitors pay for their biometric info to be collected
More security coverage:
- Hackers are going after Cisco RV320/RV325 routers using a new exploit
- New ransomware strain is locking up Bitcoin mining rigs in China
- Concerns raised about WordPress' new 'White Screen Of Death' protection feature
- Malvertising campaign targets Apple users with malicious code hidden in images
- Chrome API update will kill a bunch of other extensions, not just ad blockers
- Internet experiment goes wrong, takes down a bunch of Linux routers
- California governor signs country's first IoT security law CNET
- Why cryptojacking will become an even larger problem in 2019 TechRepublic