Japanese government plans to hack into citizens’ IoT devices

Japanese government wants to secure IoT devices before Tokyo 2020 Olympics and avoid Olympic Destroyer and VPNFilter-like attacks.
The Japanese government approved a law amendment on Friday that will allow government workers to hack into people’s Internet of Things devices as part of an unprecedented survey of insecure IoT devices.
The survey will be carried out by employees of the National Institute of Information and Communications Technology (NICT) under the supervision of the Ministry of Internal Affairs and Communications.
NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers’ IoT devices.
The plan is to compile a list of insecure devices that use default and easy-to-guess passwords and pass it on to authorities and the relevant internet service providers, so they can take measures to alert consumers and secure the devices.
The survey is scheduled to kick off next month, when authorities plan to test the password security of over 200 million IoT devices, beginning with routers and web cameras. Devices in people’s homes and on enterprise networks will be tested alike.
According to a Ministry of Internal Affairs and Communications report, attacks aimed at IoT devices accounted for two-thirds of all cyber-attacks in 2016.
The Japanese government has embarked on this plan in preparation for the Tokyo 2020 Summer Olympics. The government is afraid that hackers might abuse IoT devices to launch attacks against the Games’ IT infrastructure.
Their fear is justified. Russian nation-state hackers deployed the Olympic Destroyer malware before the opening ceremony of the Pyeongchang Winter Olympics held in South Korea in early 2018 as payback after the International Olympic Committee banned hundreds of Russian athletes from competing.
Russian nation-state hackers also built a botnet of home routers and IoT devices –named VPNFilter– that the Ukrainian intelligence service said they were planning to use to hinder the broadcast of the 2018 UEFA Champions League final that was to be held in Kiev, Ukraine that year.
The Japanese government’s decision to log into users’ IoT devices has sparked outrage in Japan. Many have argued that this is an unnecessary step, as the same results could be achieved by just sending a security alert to all users, as there’s no guarantee that the users found to be using default or easy-to-guess passwords would change their passwords after being notified in private.
However, the government’s plan has its technical merits. Many of today’s IoT and router botnets are being built by hackers who take over devices with default or easy-to-guess passwords.
Hackers can also build botnets with the help of exploits and vulnerabilities in router firmware, but the easiest way to assemble a botnet is by collecting the ones that users have failed to secure with custom passwords.
Securing these devices is often a pain, as some expose Telnet or SSH ports online without the users’ knowledge, and for which very few users know how to change passwords. Further, other devices also come with secret backdoor accounts that in some cases can’t be removed without a firmware update.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy This Password *

* Type Or Paste Password Here *

31,820 Spam Comments Blocked so far by Spam Free Wordpress

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>