The government’s plan to hack IoT devices already installed in Japan is likely to expose the uncomfortable truth known to many experts but unknown to most consumers: Many IoT devices in use are vulnerable to cyberattacks.
In mid-February, the Japanese government plans to start openly hacking more than 200 million IoT devices already installed at home and elsewhere in Japan.
The government’s plan — announced a week ago — is likely to expose the uncomfortable truth known to many experts but unknown to most consumers: Many IoT devices in use are vulnerable to cyberattacks.
Insecurity in IoT is triggered by many factors — including consumer indifference and inaction. Too often, consumers don’t bother to change the initial settings in an IoT device after purchase and installation. Second, peer-to-peer communication among IoT devices, by nature, remain unchecked and unsupervised. Third, service providers aren’t doing automated updates of firmware frequently enough.
While security experts hail the Japanese government plan as a necessary step, many Japanese media reports have balked, criticizing the heavy hand of the government.
Critics call the action a violation of citizens’ privacy. Indeed, who is comfortable with the idea of the the government peering into every personal life? Second, most people don’t trust the government to keep the collected data safe. How could anyone be sure the government won’t expose some data — even unwittingly? Finally, the Japanese harbor the undeniable fear that Japan is becoming a surveillance nation in the name of public safety. Is Japan becoming China?
In its public announcement, the National Institute of Information and Communications Technology (NICT) said it will use default passwords and other tactics to attempt hacks of randomly-selected IoT devices, seeking to compile a list of vulnerable devices.
NICT will then share the information with Internet service providers, who will be advised to alert consumers and to secure the devices. The government has not specified the targeted IoT devices, but it will most likely start with routers and webcams. The NICT said the program could last for up to five years.
Of course, Japan’s government has a perfect cover. Its excuse for this Big Brother escalation is the Tokyo Olympics in 2020.
In any major international event like the World Cup or Olympics, it is not unusual to see security experts and government agencies issuing a flurry of cybersecurity alerts. The Mirai attack is also fresh in the national memory. In that case, malware turned networked devices running Linux into remotely controlled bots, which became a botnet for large-scale network attacks. Mirai’s primary targets were online consumer devices such as IP cameras and home routers.
Tanner Johnson, a cybersecurity analyst focused on IoT and transformative technologies at IHS Markit, sees the Japanese government’s hacking plan as “a simple proactive precaution.”
He told us, “Such an event as the Olympics is guaranteed to result in an influx of millions of individuals to the country raises some overall security concerns.” He noted, “Technologically naïve or ignorant individuals can put tangential systems they may be connected to at risk if they are targeted. Hackers don’t go after the strongest individuals within a connected group, as it is too much effort. They target the weakest members in order to infiltrate the entire herd.”
Still, skeptics ask if the plan is simply a drill for the Olympics or if it might serve other purposes for the government.
Asked by EE Times about the Japanese government hack plan, Gaku Ogura, country manager of AnyConnect, raised a question: “If this is to tighten the security in run-up to the Tokyo Olympics, I wonder why the government is saying that this program could last up to five years.”
Why five years?
AnyConnect offers a platform designed to enable device makers and service providers to develop and manage IoT video devices including connected and embedded cameras. Ogura acknowledged that in many cases Japanese consumers don’t take the elementary steps to change the default passwords of their Internet connected devices.
Other observers suspect that the Japanese government might really be trying to find out what’s going on with the Huawei technologies used in network and network equipment.
Of course, there are countless reasons for such a test to be conducted. While declining to predict all the contingencies being addressed by such a test, Johnson explained that it is “not out of the question” for such a test to be designed “to collect data on specific devices or gaining in-depth analytics on the behavior of those devices.”
David Uze, CEO of Trillium Secure Inc., told us, “Trillium applauds the efforts and investment the Japanese government is making to protect its citizenry and audiences in preparation for the 2020 Olympics in Tokyo.” Trillium, based in San Diego and in Japan, offers automotive cybersecurity and mobility solutions for connected and autonomous vehicles.
Uze believes this type of audit will be mandated by governments globally for safety and security concerns associated with connected and autonomous vehicles. “It is absolutely imperative that vehicles are certifiably safe and secure,” Uze said.
Is Japan the first?
It is debatable if Japan is the first nation in the world to initiate a broad government-sponsored random hack on IoT devices. IHS analyst Johnson told us, “I can think of dozens of nations that have likely already conducted similar tests, but they are unlikely to announce their efforts, as such acts are prone to result in backlash, and cries of government intrusion into personal privacy.”
In preparation for this planned hack, the Japanese government already changed the law to ensure that the NCIT “survey”is not illegal.
But will such a survey prove effective? Johnson said, “I think if conducted properly, the individuals with weak credentials are effectively notified, and there is some measure of follow-up, a test such as this could be very effective at reducing the number of vulnerable devices in the region.”
Johnson also cited the downside. “Blowback could take the form of cries of intrusion of personal privacy. Additional concerns could be raised regarding the lack of ‘consent’ that is normally required for any type of penetration testing.”
What would be the impact on IoT chips and system suppliers? Johnson described this as negligible. “OEMs know many of their users have limited knowledge of security, with even less patience to maintain it, and so design their products to be connected as easily as possible,” he explained. “Even those manufacturers who have additional security measures installed on their devices ultimately require the end user to activate or utilize them.”
If anything, the Japanese government’s announcement of its planned IoT device penetration is a good reminder that many citizens everywhere are already trading privacy for the convenience of IoT devices. Indeed, the privacy train has apparently left the station a long time ago, especially in the United States. Nevertheless, it’s unlikely that the U.S. government could pull off a stunt similar to what Japan is doing. The irony, however, is that many Americans who deeply distrust their government willingly allow non-governmental companies such as Facebook and Google to use their data with no disclosure or accountability.
— Junko Yoshida, Global Co-Editor-In-Chief, AspenCore Media, Chief International Correspondent, EE Times