The Japanese government plans to access consumer Internet of Things (IoT) devices that are either unsecured or secured using factory default username and password combinations and alert owners to change their passwords, according to NHK. The audit, which required special legal authorization, will be conducted in coordination with National Institute of Information and Communications Technology (NICT) under the direction of Ministry of Internal Affairs and Communications (MIC), alongside internet service providers.
In essence, the plan is to compile a list of default and obvious, easy-to-guess passwords to provide to ISPs to apply against devices connected to subscriber accounts. Japanese internet access is bifurcated–the wireline infrastructure is provided by semi-national telecom NTT, though actual ISP service can be provided by NTT or third parties, such as Asahi Net or IIJ. It is unclear if the burden of performing these checks will be performed by NTT as the wireline operator, or from individual ISPs.
SEE: Enterprise IoT research: Uses, strategy, and security (Tech Pro Research)
ZDNet’s Catalin Cimpanu covers the danger unsecured IoT devices pose, as well as attacks that leverage unsecured IoT devices in an attempt to disrupt sporting events, most notably those during the 2018 Pyeongchang Winter Olympic Games, and the UEFA Champions League in Kiev, Ukraine the same year. Fears of similar style attacks are high, particularly in advance of the 2020 Tokyo Olympic Games. The government’s plan to audit consumer IoT devices for insecurity is a notably salient–if potentially heavy-handed–one, considering the involvement of Yoshitaka Sakurada, who made headlines last year for indicating he didn’t use a computer, and appeared confused when asked basic cybersecurity questions.
Japan does have a problem with unsecured IoT devices, with thousands of IP cameras accessible with no authentication via Insecam (check out this intersection in Tokyo). Requiring vendors to force use of non-default passwords would be a useful measure for the future, but does nothing for already-deployed devices.
This type of approach is unlikely to gain traction stateside due to legal measures preventing government search of devices without a warrant. Device insecurity would seemingly fall short of probable cause, making it unlikely that a judge would issue a warrant sweeping enough to enable this type of strategy. Likewise, any attempt at this strategy stateside would be swiftly met with lawsuits for a litany of privacy and procedural reasons.
That said, ensuring that IoT devices are protected with a strong password, and use the latest available firmware, are paramount for device security. For more, check out TechRepublic’s latest story on IoT credential compromise attacks opening your devices up to spying.
The big takeaways for tech leaders:
- IoT devices have been used in attacks ahead of the Pyeongchang Winter Olympic Games, and the UEFA Champions League in 2018.
- The Japanese government plans to access unsecured IoT devices in efforts to force users to change their passwords. Legal issues effectively prevent the US government from taking similar actions.