The government’s plan — announced a week ago — is likely to expose the uncomfortable truth known to many experts but unknown to most consumers: Many IoT devices in use are vulnerable to cyberattacks.
Insecurity in IoT is triggered by many factors — including consumer indifference and inaction. Too often, consumers don’t bother to change the initial settings in an IoT device after purchase and installation. Second, peer-to-peer communication among IoT devices, by nature, remain unchecked and unsupervised. Third, service providers aren’t doing automated updates of firmware frequently enough.
While security experts hail the Japanese government plan as a necessary step, many Japanese media reports have balked, criticizing the heavy hand of the government.
Critics call the action a violation of citizens’ privacy. Indeed, who is comfortable with the idea of the the government peering into every personal life? Second, most people don’t trust the government to keep the collected data safe. How could anyone be sure the government won’t expose some data — even unwittingly? Finally, the Japanese harbor the undeniable fear that Japan is becoming a surveillance nation in the name of public safety. Is Japan becoming China?
In its public announcement, the National Institute of Information and Communications Technology (NICT) said it will use default passwords and other tactics to attempt hacks of randomly-selected IoT devices, seeking to compile a list of vulnerable devices.
NICT will then share the information with Internet service providers, who will be advised to alert consumers and to secure the devices. The government has not specified the targeted IoT devices, but it will most likely start with routers and webcams. The NICT said the program could last for up to five years.
Of course, Japan’s government has a perfect cover. Its excuse for this Big Brother escalation is the Tokyo Olympics in 2020.
In any major international event like the World Cup or Olympics, it is not unusual to see security experts and government agencies issuing a flurry of cybersecurity alerts. The Mirai attack is also fresh in the national memory. In that case, malware turned networked devices running Linux into remotely controlled bots, which became a botnet for large-scale network attacks. Mirai’s primary targets were online consumer devices such as IP cameras and home routers.
Tanner Johnson, a cybersecurity analyst focused on IoT and transformative technologies at IHS Markit, sees the Japanese government’s hacking plan as “a simple proactive precaution.”
He told us, “Such an event as the Olympics is guaranteed to result in an influx of millions of individuals to the country raises some overall security concerns.” He noted, “Technologically naïve or ignorant individuals can put tangential systems they may be connected to at risk if they are targeted. Hackers don’t go after the strongest individuals within a connected group, as it is too much effort. They target the weakest members in order to infiltrate the entire herd.”
Still, skeptics ask if the plan is simply a drill for the Olympics or if it might serve other purposes for the government.
Asked by EE Times about the Japanese government hack plan, Gaku Ogura, country manager of AnyConnect, raised a question: “If this is to tighten the security in run-up to the Tokyo Olympics, I wonder why the government is saying that this program could last up to five years.”
Why five years?
AnyConnect offers a platform designed to enable device makers and service providers to develop and manage IoT video devices including connected and embedded cameras. Ogura acknowledged that in many cases Japanese consumers don’t take the elementary steps to change the default passwords of their Internet connected devices.
Other observers suspect that the Japanese government might really be trying to find out what’s going on with the Huawei technologies used in network and network equipment.