Japanese Government Will Hack Citizens' IoT Devices

The Japanese government is going to run penetration tests against all the IoT devices in their country, in an effort to (1) figure out what's insecure, and (2) help consumers secure them:

The survey is scheduled to kick off next month, when authorities plan to test the password security of over 200 million IoT devices, beginning with routers and web cameras. Devices in people's homes and on enterprise networks will be tested alike.

[...]

The Japanese government's decision to log into users' IoT devices has sparked outrage in Japan. Many have argued that this is an unnecessary step, as the same results could be achieved by just sending a security alert to all users, as there's no guarantee that the users found to be using default or easy-to-guess passwords would change their passwords after being notified in private.

However, the government's plan has its technical merits. Many of today's IoT and router botnets are being built by hackers who take over devices with default or easy-to-guess passwords.

Hackers can also build botnets with the help of exploits and vulnerabilities in router firmware, but the easiest way to assemble a botnet is by collecting the ones that users have failed to secure with custom passwords.

Securing these devices is often a pain, as some expose Telnet or SSH ports online without the users' knowledge, and for which very few users know how to change passwords. Further, other devices also come with secret backdoor accounts that in some cases can't be removed without a firmware update.

I am interested in the results of this survey. Japan isn't very different from other industrialized nations in this regard, so their findings will be general. I am less optimistic about the country's ability to secure all of this stuff -- especially before the 2020 Summer Olympics.

Posted on January 28, 2019 at 1:40 PM • 17 Comments

Comments

albertJanuary 28, 2019 3:27 PM

"...The Japanese government's decision to log into users' IoT devices has sparked outrage in Japan...."

I could see how savvy, security-oriented uses might be upset, but what about the majority of users? What have they got to complain about?

What I'd like to see is a follow up after the test, where the gov't get tough with the manufacturers of ioT junk. Perhaps blocking imports by the makers of such junk. It's easy enough to force Japanese makers to tow the line.
. .. . .. --- ....

Vesselin BontchevJanuary 28, 2019 3:35 PM

"What could possibly go wrong?", #YOLO, and other brilliant ideas from the Japanese cybersecurity minister who doesn't even use computers.

Clark GaylordJanuary 28, 2019 3:44 PM

Reminds me of the disclaimer I put on our first captured portal system (paraphrase): "You are accessing the Internet. You will be scanned. Some of that scanning might be us."

I don't see where the Japanese government are using any undo leverage or privilege. They're simply doing for public good what is already being done by untold attackers. Packets happen.

WhaJanuary 28, 2019 4:00 PM

Which other (first world) industrialized nations have legalized the ability for their local security/enforcement officials to hack into civilian devices? This is pretty alarming to me.

Clive RobinsonJanuary 28, 2019 5:16 PM

@ Vesselin Bontchev,

the Japanese cybersecurity minister who doesn't even use computers.

Nor as we have been led to belive, does Pres Putin and friends, good old manual typewriters, are your friend when your privacy is what you would like to keep.

Just remember to lock up the ribbons and used carbon papers (if you are old enough to have actually used such a shoulder building beast ;-)

Impossibly StupidJanuary 28, 2019 5:19 PM

I'd complain for the same reasons I don't want to be randomly strip searched under the guise of "you've got nothing to fear if you've got nothing to hide". Live testing their network at a snapshot in time is a brain-dead way to approach the problem. If they have legitimate concerns about particular devices, they should first be doing a name-and-shame education campaign. Follow that by an opt-in scan, so that users can control when they get hammered by the traffic. Then start a program that will fine people running insecure networks, and reward people that report attacks (regardless of whether the source is a hacked IoT device). Only if none of those incentives work should they consider just trying to bust in to people's private property.

I'd personally love to be getting, say, ten bucks for reporting every hack attempt that comes in from a Japanese IP address. As it stands they (like absolutely every other NOC it seems) don't really give a damn about the abuse they're responsible for. So I just dump their IP ranges in my firewall whenever an attack occurs. I'll take them seriously when they put their money where their mouth is.

Otherwise, it would be a good idea for hackers to sync up their scans of Japanese networks to match the timeline of the government ones. Hide in the volume and maybe get ahead of their efforts to lock things down. How long before we hear a story about scammers impersonating security officials and phishing some marks to gain access to their network? How long before we hear the government list of livevulnerable devices has been leaked/sold to nefarious individuals? Major SNAFU in the making.

Clive RobinsonJanuary 28, 2019 5:45 PM

@ Bruce,

The Japanese government is going to run penetration tests against all the IoT devices in their country

No, they will miss quite a few, and also penetrate others not in Japan's jurisdiction.

That as they say is just the way the Internet is, IP addresses and geo-location addresses do not have to have any commonality.

I used to work in Chiswick in West London just around the corner from the Barley Mow. My IP address was according to every "internet tool" then available in Boston MA.

A few years before that I worked for an AT&T subsidiary, opposite Chelsea Market, (fairly close to where is now, http://www.ppnoodlebar.com ) again my "world location" appeared in the US.

But it's not just layer 0 routing which moves things around unexpectedly, VPN's and even misconfigured boarder gateway protocol routers can have a similar effect.

This is not to say that I think what Japan is planing to do "legaly" is any different to what many other nations do clandestinely. Or as in the UK and Australia they care not one whit what juresdiction you are in. With the UK RIPA they reserve the right to attack any machine that can be reached from any network public or private in the UK. Which if you think about it also includes "air gapped" machines that have had appropriate malware installed by what ever means...

I guess we are going to have to wait and see what they do after the 2020 closing ceremonies...

Whacky Japan strikes againJanuary 28, 2019 6:49 PM

Except it really doesn't.

Citing a zdnet article using badly translated slides is not a good idea.

Japan has 99 issues with security but hacking its own citizens ain't one of them. Like most other countries there are laws punishing intrusion into other's systems and the personal information protection law is very tough, at least on paper. The tests are to be conducted on test benches and non-citizen devices, like any penetration test...

Last but not least, disregarding the legal aspects, it's hard to see how they would have the technical capacity to do such a feat. A lot of security "experts" in Japan only know how to do scans and that's about it. Maybe somebody discovered Nessus can do default credential scans?

gordoJanuary 28, 2019 7:32 PM

From NHK WORLD - JAPAN
Govt. to access home devices in security survey
January 25, 2019

A revised law that went into effect last November gives the institute the authority to gain access to people's devices over a five-year period.


[. . . ]

Institute of Information Security professor Harumichi Yuasa said it's possible that researchers might unintentionally gain access to webcam images or stored data.

He said this would violate the device owners' constitutional right to privacy if their identities were revealed.

The institute says it will keep under wraps any data obtained in the survey.

Institute researcher Daisuke Inoue says the project's aim is to increase the safety and security of people's devices. He says the institute will ensure that no data is leaked.

https://www3.nhk.or.jp/nhkworld/en/news/20190125_44/

PhaeteJanuary 28, 2019 8:10 PM

Nice effort.
Good that they alert about it beforehand, too many have been caught peeking and try to play that card afterwards.

I think the task might be offloaded to the ISP later on, like what mine does with open relay mail servers.
They regularly scan and any open relay mail server will be either port blocked (business lines) or connection disabled (customer lines) within 24h.
If customers have huge amounts of traffic on known virus ports, they get an email and 72 hours to clean before disconnect. Others have a scheme where only https(s) works and they get a forced starting page alerting them to the issue.
So an ISP can have a role here, they are already 'helping' customers to prevent them (and the network) to be weaponised.
Ofcourse, all nicely detailed in specs/contract etc.

WasabiJanuary 28, 2019 8:54 PM

@Bruce

Thanks for covering this.

As a security professional in Japan, I feel this is pretty crazy that this was even authorized and publicized. This would be the perfect opportunity for any cyber criminal to attack int the guise of NICT. Furthermore the residual risks if an attacker or insider were able to get the data harvested. From what I'm reading, seems the ISPs maybe involved in this as well. Not to sure if Enterprises will be targeted but I don't see how they would distinguish commercial and enterprise users.

As I said in the squid post comment, I'm not too sure if I should be relieved for free pen testing or terrified.

DJanuary 28, 2019 11:39 PM

It's really quite extraordinary. For better or worse. One could compile a list of things to go wrong. Several have been mentioned here.
California passed a law banning default passwords in IoT

DJanuary 28, 2019 11:41 PM

Sorry, California is a State in a place called the United States, which is a country in North America (it's near Mexico)

Whacky Japan strikes againJanuary 29, 2019 3:30 AM

Yeah right, the guy responsible for this is quoted on the nict website saying things such as " Since the scans are transmitted over the entire Internet, they reach all IP addresses, even unused IP addresses, i.e., the darknet." and "The port number determines the type of service being accessed on the Internet. Port 23 is used for Telnet, a communication protocol established in the 1980s that lets a user access a server over
a network. Cyberattacks gain access to IoT devices via this port."
Seems to me they are just selling the NICTER project, an inhouse developed thing that "monitors the darkweb".
Gotta get those juicy research credits.

This is further described here: https://www.nict.go.jp/en/data/nict-news/NICT_NEWS_2018-472_E.pdf

Trust a website on a security project (www.nicter.jp) that requires Adobe flash player to function properly and which does not support forward secrecy.

meJanuary 29, 2019 5:54 AM

This is awesome!!!!
if well done it can actually secure the devices:
1- they test devices
2- they log insecure devices ip
3- since they are the gov they can ask isp who is behind that ip
4- since they are the gov they know where that person live
5- they can send a letter asking to fix that device as soon as possible (change password, throw it away/sue the company)
they also explain the problem, the impact and how to solve it.

for example:
"we found that your camera is insecure, anyone can watch your home from anywhere, to solve it change your password, if you don't know how check the gov website here"

ThursdayJanuary 31, 2019 9:38 PM

How do say in Japanese?.. “You’ve just crossed over into the Twilight Zone.”

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.