On Friday, the Japanese government approved an amendment to the law that would allow government officials to hack people’s Internet of Things devices as part of an unprecedented survey of unsafe IoT devices.
The survey will be conducted by staff of the National Institute of Information Technology and Communications (NTIC) under the supervision of the Ministry of Internal Affairs and Communications.
NICT staffs will be able to use default passwords and password dictionaries to try to log in to the IoT devices of the Japanese consumer.
The plan is to compile a list of insecure devices that use standard and easy-to-guess passwords and pass it on to relevant authorities and Internet service providers so they can take action to warn consumers and ensure device security.
The survey is scheduled to begin next month, when authorities plan to verify the password security of more than 200 million IoT devices, starting with routers and webcams. Devices in people’s homes and in corporate networks will be reviewed in the same way.
According to a report from the Ministry of Internal Affairs and Communications, attacks on IoT devices amounted to two-thirds of all cyber attacks in 2016.
The Japanese government has launched this plan in preparation for the Tokyo 2020 Summer Olympics. The government fears that hackers may use IoT devices to launch attacks on the IT infrastructure of the Games.
Their fear seems justified. Computer hackers from the Russian state nation introduced the Olympic Destroyer malware before the opening ceremony of the Winter Olympics in Pkhenchkhan, held in South Korea in early 2018, as compensation after the International Olympic Committee banned the competition for hundreds. Russian athletes.
The Russian national state hackers also created a botnet of home routers and IoT devices called VPNFilter, which the Ukrainian intelligence service said it plans to use to avoid broadcasting the final of the UEFA Champions League 2018, which will be held in Kiev. Ukraine that year.
The Japanese government’s decision to enter the IoT user devices caused outrage in Japan. Many argue that this is an unnecessary step since the same results can be obtained simply by sending a security warning to all users, since there is no guarantee that users who discover the use of predetermined passwords or guess passwords change their passwords After receiving the notice in private.
However, the government’s plan has its technical merit. Many of today’s IoT networks and routers are created by hackers who capture devices with predetermined passwords or easy-to-guess passwords.
Hackers can also create botnets using vulnerabilities and vulnerabilities in the router’s firmware, but the easiest way to collect a botnet is to collect those that users cannot protect with users’ passwords.
It is often difficult to protect these devices, as some Telnet or SSH ports open online without the knowledge of users and for which very few users know how to change passwords. In addition, other devices also come with secret backdoor accounts, which in some cases can not be deleted without updating the firmware.
We will continue this survey in the coming months and plan to report on its success or failure.