Japan has taken a pretty unorthodox step, and decided to target its own citizens with IoT cyberattacks, ostensibly to wake the population up to the threat posed by their own devices. The National Institute of ICT (NICT) is drawing a lot of flak, unsurprisingly, but does a government have any effective alternative given the state of affairs?
The answer is, in our view, no – definitely in the short-term at least. Over time, the chipsets and the stacks controlling them might end up with the capability to self-regulate, but in this age of shoddy passwords, hard-coded credentials, and woefully insecure web applications, the NICT’s most effective recourse might just be attacking the citizenry.
The NICT thinks there are 200mn such devices in the country, many of which will still be using the account credentials they were sold with. There has been much weeping, wailing, and gnashing of teeth, in the Japanese media, and it is certainly fair to consider this a gross overreach of the government’s power and responsibilities. However, many believe that it’s the only way things are going to get better, and if you take the view that these insecure devices are a weapon waiting to fall into the hands of criminals or geopolitical rivals, then the government seems to have a decent moral high ground on which to stand.
Consider too, whether you would prefer to be hacked by your own government, ostensibly for your own good, or a criminal enterprise that hoovered up sensitive personal data and used it empty a bank account one day. With homes increasingly filling up with connected cameras and alarm systems, criminal surveillance is as prescient a concern as authoritarian surveillance, and if the easiest recourse is to rip the bandage off now and prevent future injury, then perhaps so be it.
California’s law is one way to try and solve that issue, ensuring that newly sold devices can’t be hijacked using default passwords, but the recent Nest ‘hacks’ have shown that as long as consumers re-use passwords among their many online accounts, then there’s a risk that they can be commandeered by ne’er-do-wells. As such, the bigger issue may just be passwords themselves. Password managers are a useful tool, but a tiny fraction of consumers are ever going to start using them routinely in their daily lives.
The NICT cites the upcoming 2020 Tokyo Olympics as a driver behind this initiative. It says that the project could last as much as five years, but has not specified the sorts of devices it will begin targeting, nor how it will know for sure that the devices are actually inside its territory. As amusing as an international incident regarding an exposed webcam might be, there would be a considerable amount of irony if this proactive measure kicked off a proper cyberwar.
But that is exactly the fear – that the devices in Japan could be used to do harm to the country itself. London mounted anti-aircraft missiles on tower-blocks, so perhaps Japan hacking webcams is not such a big deal. A roving Mirai botnet could devastate transport or services with Japan, and in such heavily urbanized centers where the Olympic events are going to take place, there’s a real risk that things get a bit Fyre-Festival, if a rival nation’s cyberwarfare teams are determined enough.
So the NICT hopes to alert device owners to their security holes, in the hopes that the owner will take steps to rectify the problem before the bad guys try. Notably, it hasn’t exactly outlined how it will do this. If it’s a case of simply finding the email address associated with the controlling account, then it’s just a case of firing over an email. If it’s something more complicated, like putting warnings on the screen of the device, renaming the WiFi network, or tuning the TV or radio to a channel that blares their security failings, then this sounds like quite a lot of work for the NICT.
Unsurprisingly, it has taken very little time for the conspiracy theorists to emerge out of the woodwork. Through the rustling of their tinfoil hats, the concern that this is actually a way to create a dangerously authoritarian surveillance regime are heard, fueled by the scant detail of the NICT’s plan, and the fact that a project for the 2020 Olympics has a five-year life-time.
Perhaps the law-change that has enabled the NICT project is just the thin end of the wedge, and that the Japanese government will escalate things – ostensibly in the name of national security. These are the sorts of concerns being voiced. It is hard to see a European or North American government announcing such a plan, and in that same vein, Chinese citizens wouldn’t bat an eyelid if the government kicked such a project off.
Of course, if the NICT remains limited to the password dictionaries and reporting the devices to ISPs, who would then pass the warning on to their customers, then it seems that there’s not much danger of over-reach. The NICT isn’t creating its own botnet of devices, from what we can tell, rather it is using pretty rudimentary techniques.
There are real world examples of what the Japanese government fears. Unsurprisingly, Russia is involved in the nation-state side of things, with the Olympic Destroyer malware that was apparently deployed as revenge for Russian athletes being banned from competition, and the VPNFilter malware that was allegedly aimed at disrupting the UEFA Champions’ League final in Kyiv, Ukraine.