In a previous article, we looked at why Japan intended to hack its citizens’ IoT devices. With the country hosting the 2020 Olympic and Paralympic Games, the measure, which is still ongoing, was designed to identify connected devices that were vulnerable to being hacked and infected with viruses. IoT appliances are particularly prone to infections with malware. Some, such as Mirai, co-opts them into a botnet capable of launching deadly DDoS (distributed denial of service) attacks against companies or government agencies. The initiative was launched in March 2019, despite controversy and fears about privacy. This article looks more-in-depth into what the Japanese government is attempting to achieve, and also at some of the early results.
Of course, Japan does not use the term ‘hacking’ for this operation, even though it could be considered as ethical hacking. Instead, it is being called a survey, and is being conducted by a team from the NICT (National Institute of Information and Communications Technology). Special legislation was passed in order for the government to access and identify IoT gadgets.
To find the unsecured devices, the NICT used a port scan to see whether individual appliances would accept the most commonly used IDs and passwords. The NICT’s implementation plan listed around 100 combinations of these easily guessed credentials, including ‘admin,’ ‘111111,’ ‘123456,’ and ‘user.’ Once such a device is found, it is identified with the model name, IP address, time stamp, and port number, and that information is passed to the relevant ISP. It is the ISP’s responsibility to pinpoint the user and inform them of the vulnerability and how to fix it.
The devices being tested all use the global IP address, IPv4, that is allocated to Japan. There are approximately 200 million of these in existence. The survey itself is carried out automatically by a computer program but is overseen by NICT employees. The Ministry has assured citizens in its ‘Notice – National Operations Towards IoT Clean Environment’ that the security measures used are ‘of the same strictness as measures required for highly confidential information handled by the government.’1These include the requirement of multi-factor authentication (including biometrics) upon accessing areas in which the data is being processed. There are also infiltration detection systems in place and firewalls, which make it impossible for any outside source to connect to the servers handling the information. In addition, the government stated that no content concerning private communications was ‘gathered, used or leaked.’2
The results of the survey, up to September 2019, have now been published on the Ministry of Internal Affairs and Communications website. They are divided into figures for the first and second quarter of 2019 and are as follows:
Participating ISPs – 33
IP Addresses surveyed – 90 million
The number of IP addresses where an ID and password could be entered – 42,000
The number alerted to the vulnerability – 147
Cases per day notified to the ISP – 112-155
Participating ISPs – 34
IP Addresses surveyed – 100 million
The number of IP addresses where an ID and password could be entered – 98,000
The number alerted to the vulnerability – 505
Cases per day notified to the ISP – 80-559
The report concludes that it is currently thought that only a small proportion of IoT devices that have been surveyed have IDs and passwords that can be easily guessed or already are infected with malware. However, NICT and the Ministry are continuing with the process and are hoping to bring more ISPs on board.3 They also plan to publish further results at a later date.
- Notice’ FAQ, Ministry of Internal Affairs and Communications, accessed at https://notice.go.jp/en
- ‘Alerting Users of Vulnerable IoT Devices and IoT Devices Infected With Malware (Q2 2019),’ Ministry of Internal Affairs and Communications, accessed at https://www.soumu.go.jp/menu_news/s-news/01cyber01_02000001_00043.html#pTop