Skip to main content

Japan to hack its citizens

February 4, 2019 | Expert Insights

Ahead of the Tokyo Olympic Games 2020, the Japanese government approved an amendment that will permit the government  to hack  devices owned by its citizens as a measure to secure the Internet of Things (IoT) 

Background

Japan is taking measures to secure Internet of Things, taking into account the 2018 PyeongChang Winter Olympics cyber-attack.

The 2018 cyberattack paralyzed internet networks at the opening ceremony of the Pyeongchang Winter Olympics. Hacking caused both LAN and WiFi communications to be disrupted and prevented tickets from being printed from the Olympics website. It took 12 hours for the cyber response team to restore normal operation. The hackers knew usernames, server names and passwords used for the Olympic Games infrastructure.  Samples of the “Olympic Destroyer” indicate the hackers did not try to steal information but they performed “destructive” functions. Washington Post reported that Russian hackers were responsible for the cyber-attack in retaliation for the ban on Russian athletes in a systematic doping scheme.  The Post noted that Russia used North Korean IP to mask their tracks. In December of 2017, the IOC suspended the Russian Olympic Committee. 

In addition, the same hackers built VPNFilter, a gigantic botnet, using domestic IoT equipment with which they planned to cut the transmission of the final of the UEFA Champions League of 2018 in Kiev.

Analysis

The Japanese government is believed to be accessing millions of citizens' IoT devices, to check whether their passwords are secure. The first-of-its-kind survey is aimed at strengthening cyber-security.

The Minister for internal affairs and communications, Masashi Ishida has approved an amendment to the country's Supplementary Provisions of the National Institute of Information and Communications Technology Law, allowing the 'hack' to take place. 

Staff at the National Institute of Information and Communications Technology (NICT) will use default passwords and password dictionaries to try and hack randomly-selected IoT devices, and compile a list of vulnerable devices. They will then share the information with internet service providers who will be expected to alert consumers and make the devices secure. The survey could involve more than 200 million IoT devices, starting initially with routers and webcams, in a program that could last for up to five years.

The Japanese government has embarked on this plan in preparation for the Tokyo 2020 Summer Olympics. Athletes from all over the world will compete for gold medals and personal recognition. Hosting the Olympics requires a lengthy period of preparation to ensure the safety and capability of competitors and spectators. Japan believes that it has to priorities and invest in security – both physical and cyber.

Institute of Information Security professor, Harumichi Yuasa, said it's possible that researchers might unintentionally gain access to webcam images or stored data. He said this would violate the device owners' constitutional right to privacy if their identities were revealed. The institute says it will keep under wraps any data obtained in the survey. Institute researcher, Daisuke Inoue says the project's aim is to increase the safety and security of people's devices. He said the institute will ensure that no data is leaked.

While Japan's adoption of IoT is lower than that of most countries, more than 54 per cent of the cyberattacks detected last year were connected to IoT devices, according to the NICT.

The Japanese government's decision to log into users' IoT devices has sparked outrage in Japan. Many have argued that this is an unnecessary step, as the same results could be achieved by just sending a security alert to all users, as there's no guarantee that the users found to be using default or easy-to-guess passwords would change their passwords after being notified in private.

Counter Point

Michael Gazeley, director of Hong Kong-based security firm Network Box, warned that while the intentions of the test were good, it could potentially backfire on users, by creating an easy attack vector for hackers.  "The public at large is going to have to be extra vigilant," he said. "How easy would it be to send someone (everyone) a phishing email, claiming to be from the government, saying, 'Your IOT devices failed our testing, please click on this link to get updated,' resulting in a huge number of successful hacks?"

Assessment

Our assessment is that the plan has its technical merits because many of the IoT and router botnets are built by hackers who are likely to take over the devices with default passwords. We believe that securing these devices can prevent the exploitation. We feel that the Japanese authorities are engaging in a form of cyber leadership by addressing a global issue.