Earlier this year, the Japanese government launched a campaign in which it hacked into citizens’ IoT (Internet of Things) devices to see how secure the technology is.
The plan was to compile a list of devices that use simple, default passwords and pass it on to authorities and relevant Internet service providers to help achieve better security.
It’s a noble cause – anyone who wants to address information security should be commended – but the plan seems excessive and perhaps even dangerous.
What’s the big idea?
Starting in March, employees at the National Institute of Information Communications Technology were allowed to use default passwords to try to break into Japanese consumers’ IoT devices.
The test has encompassed more than 200 devices, including things like routers, webcams and Internet-connected appliances.
Once the test is complete, the government will tell the IoT providers about their vulnerabilities and instruct them to address the issues.
You can understand Japan’s eagerness to address IoT security. The Ministry of Internal Affairs and Communications reported that two thirds of all cyber attacks in 2016 were aimed at such devices.
Meanwhile, the country is preparing for next year’s Tokyo Olympics, which will almost certainly be targeted by criminal hackers, as sports events have become a hotbed of cyber crime.
The England football team was one of several warned about cyber attacks during the 2018 World Cup (although the only breach was caused by a journalist), those watching this year’s Super Bowl and Cricket World Cup online were warned about identity theft, and the 2018 Winter Olympics website was disrupted following a malware attack.
It therefore makes sense to get ahead of the problem and address security vulnerabilities as a matter of urgency. But surely there’s a better way than deliberately hacking citizens.
Hacking Peter to pay Paul
There are several things to be concerned about with the Japanese government’s plan. For one, it’s an awful lot of risky work for minimal results.
Almost every IoT provider has vulnerabilities, and they should be conducting regular penetration tests and vulnerability scans to detect them. The government survey is in all likelihood simply repeating this process – except it’s doing it in a clumsily intrusive way.
After all, if an employee hacks a customer’s account, it’s a privacy breach. It doesn’t matter if the attack was done as part of a security survey; it’s still someone accessing information that they shouldn’t.
And who’s to say the employee who breaks into the account is well-intentioned? Insiders are one of the biggest security threats, because it’s tempting not to misuse sensitive information given how valuable it is and how easily it’s perceived as a victimless crime.
But there’s an even bigger security risk. The government publicly announced that it would be compiling a list of known vulnerabilities. What are the chances that criminal hackers are going to target the government to access this information?
With a comprehensive list of IoT vulnerabilities in Japan and their protocols for password-creation, fraudsters could cause devastating damage.
The survey has sparked outrage in Japan, with citizens asking why the government didn’t simply send a security alert reminding users to strengthen their passwords.
The solution isn’t as simple as that – there are other threats than simply password strength (such as default passwords and the requirements to change them) – but the complaints are along the right lines.
A less highly publicised approach, like a security alert alongside a committee meeting with IoT providers, would have been a less conspicuous solution. Citizens would be reminded to address their password security and the government would have been able to advise IoT providers on the way they should be tackling cyber security concerns.