Last week, the Japanese government approved a law amendment that will allow its employees to hack into people’s Internet of Things (IoT) devices as part of an unprecedented survey of insecure IoT devices.
The government reportedly wants to secure IoT devices before Tokyo 2020 Summer Olympics to avoid Olympic Destroyer and similar attacks.
The Japanese National Institute of Information and Communications Technology (NICT) employees, under the supervision of the Ministry of Internal Affairs and Communications, will be allowed to use password dictionaries and default passwords to attempt to log into consumers’ IoT devices. The result of the survey should be a list of insecure IoT devices in Japan, which will enable the authorities and internet service providers to take measures and secure the devices.
“Since the IoT industry is in its infancy, almost all of the devices have the potential to become cybersecurity risks. In a rush to get them into the market, most manufacturers are ignoring the security side. From this point of view, the Japanese government’s concern has merit,” says Daniel Markuson, Digital Privacy Expert at NordVPN.
“However, it is understandable why this amendment has sparked outrage in Japan. It seems as an excessive measure, as the same results could be achieved by sending a security alert to all users or informing people via media. It is also not completely clear what other sensitive data might be collected during the survey and how it will be handled.”
Daniel Markuson, Digital Privacy Expert at NordVPN, recommends that all IoT owners living in Japan take security measures upfront, before the survey begins:
- Change passwords. Default factory passwords should be changed to strong ones, containing capital letters, numbers and symbols. Passwords should be different for each device.
- Update all devices. Manufacturers often fix critical security vulnerabilities with updates.
- Create an offline WiFi LAN. Most IoT devices can operate on a LAN (local-area network). Such local network can connect smart devices inside one’s home without the need to connect to internet.
- Secure the router. Some routers can support VPN encryption. Routers with a VPN will allow to connect IoT devices in an office or home, but no incoming communication with them will be possible. This may be inconvenient if user wants to control IoT devices remotely, though.
It is estimated that over 200 million private and business owned IoT devices, such as web cameras and routers, will be tested in Japan. The survey should start next month.
The Olympic Destroyer malware was deployed before the opening ceremony of the Pyeongchang Winter Olympics in South Korea in 2018 by Russian hackers. A similar attempt to built a botnet of IoT devices and home routers was noticed before the 2018 UEFA Champions League final that was to be held in Ukraine.