With the 2020 Tokyo Olympic Games just one year away, Japan isn’t leaving anything to chance. On Friday, the country approved a law that would allow the government to hack into insecure IoT devices, in order to survey the number of easily-hackable gadgets that exist within the country.
The survey will be conducted by employees of the National Institute of Information and Communications Technology (NICT), supervised by staffers from the Ministry of Internal Affairs and Communications.
Perhaps for privacy reasons, the survey is being performed under punishingly strict rules-of-engagement. Don’t get any ideas of Japanese government hackers firing up Metasploit and using exotic RCE exploits to gain access. The reality is much more boring, as NICT employees are only allowed to use default credentials and password dictionaries.
This has raised eyebrows in the security profession. Gavin Millard, VP of intelligence at Tenable, says that the country is likely to only find low-hanging fruit, and will fail to identify a large swathe of vulnerable IoT devices.
“Rather than hacking back, it appears the NICT are going to notify users of exposed devices with simple passwords. A quick Shodan search only finds roughly 1000 devices currently connected in Japan with easily guessed passwords though, so unless they are going to go deeper leveraging a scanning tool like Nessus, it’ll be more PR than actual security improvements,” he said.
The survey is scheduled to take place next month, with an ultimate goal of cataloguing over 200 million IoT devices. NICT plans to start with routers and networked cameras, which makes sense, given the proliferation of these devices, and the frequency of which they’re compromised.
Once the government has identified insecure devices, it’ll pass the details on to ISPs and the local authorities, who can then alert consumers.
Japan should be commended for correctly identifying the threat posed by dodgy IoT devices. Hackers have successfully weaponized “smart” devices, thanks to the reality that many ship with insecure default settings, and seldom receive security updates and patches.
IoT devices, both big and small, are regularly weaponized by hackers and used to stage catastrophic distributed denial of service (DDoS) attacks. Remember when someone created a botnet consisting almost entirely of hacked routers and used it to take down half of the Internet? Good times.
That said, I fear Japan’s efforts are unlikely to make much real difference. Compared to the rest of the world, the number of vulnerable IoT devices in Japan are a mere drop in the water. And as we now know, cyber attacks know no borders.