Japan is a tech-loving nation with a vigorous and successful telecommunications industry, as well as an obsession with new technologies and robotics. In particular, the Japanese have a growing love affair with the Internet of Things (IoT). Having a network of connected objects and applications that can communicate and co-operate with each other and with people to make life easier and more convenient seems to be the way of the future. There are over 200 million of IoT devices in Japan, including routers, household devices, baby monitors, web cameras, remote payment systems, all of which are potentially vulnerable to cyberattacks1.
IoT devices are notorious for their weak security and are a massive target for hackers. Vulnerable default security settings and a lack of security updates to the software mean that hackers can access the IoT devices and ‘weaponize’ them – using them to create distributed denial of service attacks. In October 2016, a piece of malware called Mirai searched the internet for any devices using unsecured Telnet ports. Once discovered, Mirai used a list of the most common username and password combinations to try and log in. Unsurprisingly, as many people still habitually use easy-to-remember passwords such as 123456, Mirai was able to connect to over 600,000 unprotected devices in just three months2. Having so many gadgets at their disposal, the hackers behind Mirai then used their collective computing power as a ‘botnet’ to launch several devastating global DDoS attacks, such as that against the Dyn infrastructure, an attack that almost took out the internet3.
With Tokyo hosting the Olympics in 2020, the Japanese government considered that the country’s large number of IoT devices could be used against the event. Hackers are infamous for targeting large sporting events, for example, the football World Cup in Brazil in 2014 had its website brought down by a DDoS incident, and thousands of fans suffered phishing attacks, resulting in identity and financial theft4. In an effort to tighten cybersecurity before the start of the Games, Japanese officials decided to test IoT weaknesses by hacking its own citizens’ devices.
The legal paperwork needed to perform the mass-hack was passed on 25 January 2019. The operation was carried out by employees of the National Institute of Information and Communications Technology (NICT) and overseen by the Ministry of Internal Affairs and Communications. Their brief was to use passwords from a list of default and easily guessed passwords and to make a list of devices they considered to be insecure. The plan then was to use the list to contact the makers of the devices, asking them to update security on any new products. Also, to alert any citizens who used simple or default passwords and ask them to change them to something more secure5.
The hacking campaign, launched in March 2019, caused both outrage and controversy. Citizens felt that their privacy has been invaded and that the money and effort used by the NICT could have been better used on a public campaign telling everyone how to make their passwords more secure. And interestingly, security experts have also criticized the effort saying that only the most easy-to-find vulnerabilities were being looked at and that hackers would still be able to exploit other, untested, and unprotected openings. In an interview with TNW, Gavin Millard, VP of intelligence at Tenable, said, ‘… unless they are going to go deeper leveraging a scanning tool like Nessus, it’ll be more PR than actual security improvements’6. There is also a further risk: The list of compromised devices that the Japanese government wants to collect will in itself be a target for hackers.
There has been no further information on the success or otherwise of this campaign. However, in other news, it was announced in May that the Japanese Defense Ministry was seeking to create a cyber-weapon out of malware that would be used to find and destroy other malware and viruses7. The US, UK, and Germany, among others, have also created their own cyber-weapons, although it has to be noted that these countries also constantly come under attack from hackers in Russia, China, North Korea, and Iran. So, although Japan has been making efforts to secure the 2020 Olympics against cyberattacks, it remains to be seen just how successful they will be.
- Bruce Schneier, ‘Japanese Government Will Hack Citizens’ IOT Devices,’ Schneier on Security, 01/28/2019, accessed at https://www.schneier.com/blog/archives/2019/01/japanese_govern.html
- ‘Inside the Infamous Mirai IoT Botnet: A Retrospective Analysis,’ The Cloudflare Blog, 12/14/2017, accessed at https://blog.cloudflare.com/inside-mirai-the-infamous-iot-botnet-a-retrospective-analysis/
- Josh Fruhlinger, ‘The Mirai Botnet Explained: How Teen Scammers and CCTV Cameras Almost brought Down the Internet,’ CSO United Kingdom, 03/09/2018, accessed at https://www.csoonline.com/article/3258748/the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internet.html
- ‘Hackers Target Major Sporting Events,’ Excaltech Blog, 09/26/2018, accessed at https://www.excaltech.com/hackers-target-major-sporting-events/
- ‘Japan Set to Hack Devices of its Own Citizens,’ CISOMag, 01/28/2019, accessed at https://www.cisomag.com/japan-set-to-hack-devices-of-its-own-citizens/
- Matthew Hughes, ‘Japanese Officials Will Target Millions of IoT Devices to Help Secure the Olympics,’ TNW, 01/28/2019, accessed at https://thenextweb.com/security/2019/01/28/japanese-officials-will-target-millions-of-iot-devices-to-help-secure-the-olympics/
- Catalin Cimpanu, ‘Japanese Government to Create and Maintain Defensive Malware,’ ZDNet, 05/05/2019, accessed at https://www.zdnet.com/article/japanese-government-to-create-and-maintain-defensive-malware/