The Japanese governmentapproveda law amendment on Friday that will allow government workers to hack into people's Internet of Things devices as part of an unprecedented survey of insecure IoT devices.
The survey will be carried out by employees of the National Institute of Information and Communications Technology (NICT) under the supervision of the Ministry of Internal Affairs and Communications.
NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers' IoT devices.
The plan is to compile a list of insecure devices that use default and easy-to-guess passwords and pass it on to authorities and the relevant internet service providers, so they can take measures to alert consumers and secure the devices.
The survey is scheduled to kick off next month, when authorities plan to test the password security of over 200 million IoT devices, beginning with routers and web cameras. Devices in people's homes and on enterprise networks will be tested alike.
According to a Ministry of Internal Affairs and Communicationsreport, attacks aimed at IoT devices accounted for two-thirds of all cyber-attacks in 2016.
The Japanese government has embarked on this plan in preparation for the Tokyo 2020 Summer Olympics. The government is afraid that hackers might abuse IoT devices to launch attacks against the Games' IT infrastructure.
Their fear is justified. Russian nation-state hackers deployed themalware before the opening ceremony of the Pyeongchang Winter Olympics held in South Korea in early 2018 as payback after the International Olympic Committee banned hundreds of Russian athletes from competing.
Russian nation-state hackers also built a botnet of home routers and IoT devices --named-- that the Ukrainian intelligence service said they were planning to use to hinder the broadcast of the 2018 UEFA Champions League final that was to be held in Kiev, Ukraine that year.
The Japanese government's decision to log into users' IoT devices has sparked outrage in Japan. Many have argued that this is an unnecessary step, as the same results could be achieved by just sending a security alert to all users, as there's no guarantee that the users found to be using default or easy-to-guess passwords would change their passwords after being notified in private.
However, the government's plan has its technical merits. Many of today's IoT and router botnets are being built by hackers who take over devices with default or easy-to-guess passwords.
Hackers can also build botnets with the help of exploits and vulnerabilities in router firmware, but the easiest way to assemble a botnet is by collecting the ones that users have failed to secure with custom passwords.
Securing these devices is often a pain, as some expose Telnet or SSH ports online without the users' knowledge, and for which very few users know how to change passwords. Further, other devices also come with secret backdoor accounts that in some cases can't be removed without a firmware update.
We'll be monitoring this survey in the coming months and plan to report on its success or failure.