Japanese Government Plans To Hack Into Citizens' IoT Devices (zdnet.com) 96
An anonymous reader writes: The Japanese government approved a law amendment on Friday that will allow government workers to hack into people's Internet of Things devices as part of an unprecedented survey of insecure IoT devices. The survey will be carried out by employees of the National Institute of Information and Communications Technology (NICT) under the supervision of the Ministry of Internal Affairs and Communications.
NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers' IoT devices. The plan is to compile a list of insecure devices that use default and easy-to-guess passwords and pass it on to authorities and the relevant internet service providers, so they can take measures to alert consumers and secure the devices. The survey is scheduled to kick off next month, when authorities plan to test the password security of over 200 million IoT devices, beginning with routers and web cameras. Devices in people's homes and on enterprise networks will be tested alike
NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers' IoT devices. The plan is to compile a list of insecure devices that use default and easy-to-guess passwords and pass it on to authorities and the relevant internet service providers, so they can take measures to alert consumers and secure the devices. The survey is scheduled to kick off next month, when authorities plan to test the password security of over 200 million IoT devices, beginning with routers and web cameras. Devices in people's homes and on enterprise networks will be tested alike
Hack every single IOT device right off the net (Score:1)
I was wondering when the low lying fruit would be harvested. But why stop at surveying weak links in the net chain? Hack them right to dev/null, get them the fuck off the internet. That would be a solid security endeavor.
What could possibly go wrong.... (Score:1)
I do really not understand why such insane ideas get traction at all. Buy one of each of these and hack them in a lab, sure. But hack devices deployed out there by a large and diverse group of people? Pure insanity.
Re: (Score:1)
Re: (Score:2)
Somebody else will do it even if they do. So you think adding one more attacker is sane?
Re: What could possibly go wrong.... (Score:3)
Yes. I've hacked various networks and then left messages for the admin to fix the vulnerability. Was me doing that worse for them?
As long as the Japanese government is honest about the aim of this project, then the end result will be a benefit for the people of Japan. Of course some transparency and third-party verification would be nice to keep them honest. But there's nothing inherently harmful about what they're doing.
Re: (Score:2)
Well, if you are not flat-out lying, I hope there is some nice prison-time in your future. You are part of the problem.
Re: What could possibly go wrong.... (Score:2)
And you're the reason we can't have sensible laws.
Re: (Score:2)
Because he was playing around seeing what he could do, found hackable network and informed the owners? Sure he could have held the network for ransom I'm sure that would be better for everyone.. people like you are what's wrong with the world. I now understand why you post the things you do. You feel you're better than everybody else.
Re: (Score:2)
What will they do if they find a vulnerable device? They could trace the IP address back to an ISP and ask them to contact the customer I guess. But what if they find some device that is vulnerable to an attack being used in the wild, or even already infected?
Ethically shutting it down or patching it is acceptable, but legally?
Re: What could possibly go wrong.... (Score:2)
Legally, they're the Japanese government and I doubt there's much stopping them. Would be different in the states.
Even if they don't have the legal authority to patch it, they could almost certainly order the ISP to take that IP offline until the customer has been contacted and has patched the issue.
Re: (Score:2)
Any that respond to a default password get a request to upgrade, change the password.
The gov tests again. Who took the advice. Who did not.
When China and North Korea enter a computer network in Japan the review will then ask about the password policy.
Was anything left open as a default after the gov issued its results and asked for a password change?
Can the company show it followed best practice and had changed its passwords as it w
Re: What could possibly go wrong.... (Score:2)
Your analogy fails because every single one of us knows (or should know) that our houses are insecure. Lockpicking is shit simple - I do that for fun also - but even without picking locks anyone can get into your house by busting a window, or breaking down the door. Houses aren't meant to be secure, and very few people are interested in implementing the kind of security needed to make them secure. Whereas every admin I've ever met wants to do everything he can to make sure his systems are secure.
In any e
Re: (Score:2)
If you brick it after hacking it, you at least remove it from the pool of potential DDoS drones.
Re: (Score:2)
Now, _that_ would be an idea. But this idea is also incompatible with modern ideas of right and wrong and generally is considered a criminal act as you are destroying property that is not yours without permission. We do have some exceptions for emergency conditions, like a fire marshal being allowed to order the evacuation or demolition of a building if it represents a direct danger to human life. In the IoT-field we do not have such laws and human life is not threatened (at least not yet).
Re: (Score:2)
You have seen the DDoSes from 1-2 years ago amplified by crappy IoT devices?
Do you know why they stopped?
Human lives are one thing, but threaten businesses and you'll see laws change!
Deep thoughts, by Jack Handy? (Score:1)
"But hack devices deployed out there by a large and diverse group of people? Pure insanity." - Hacking devices with little-to-no security to inoculate them from botnets is pure insanity? Pray tell what do you find sane about the internet?
Is it not pure insanity to put null-security hardcoded credential IP devices on the internet GENERALLY? Why would preparing to mitigate their ongoing chronic and future abuse be the insanity here?
Re: (Score:2)
Where in the story do you find anything about "inoculating"? This is a survey and they will leave the devices widely open, possibly more open than before. The "securing" is left to the owners (who usually cannot do it) and these will be notified months later, if at all.
Re: (Score:1)
Where in the story do you find anything about "possibly more open than before"? The survey is part of the effort to identify devices that need securing, a first step towards that goal obviously. Do you not get that?
Re: (Score:2)
Where in the story do you find anything about "possibly more open than before"?
That is expert knowledge about how "hacking" works. You obviously have none of that.
Re: (Score:2)
You seem to never have heard about things like UPnP, for example and firewalls with states. A device could well be set up to be open to accesses from Japan, but after such an access remains open to the rest of the world for a time. This is a very simplified scenario, of course, but I am sure even that already flies right over your head.
This /. story from yestersay may be relevant for you though: https://science.slashdot.org/s... [slashdot.org]
Re: (Score:3)
The company can then change its policy and secure its network.
Change its passwords.
Upgrade.
That warning by the gov will have to be acted upon.
The gov will give time and advice to work on "things like UPnP" settings?
Should that "things like UPnP" be found to be part of any computer network intrusion?
The gov can then come back an ask why the "things like UPnP" was still left open to the world?
The company can then lis
Re: (Score:2)
That will not be happening, unless the Japan government starts to do systematic pen-tests against all their domestic devices and networks. While that would be indeed a good thing, it is infeasible today because the effort is just too large.
No. The only way to get rid of the IoT mess is manufacturer and vendor liability and that one has to be done internationally. In effect, sales of this insecure crap must be banned, stock must be seized and marketplaces like eBay and Amazon must be made liable if they cont
Re: (Score:2)
Bot nets made by non gov groups do it everyday all over different nations networks using a default list of passwords to quickly scan all networks they find.
Re "mess is manufacturer and vendor liability"
Too late. Too much is already sold, in use and can be connected to using default password lists.
Detection and a request to change at least gets the gov a list of networks that got changed.
A list of networks that did not do what the gov told t
End users (mostly) cannot be trusted (Score:2)
The "securing" is left to the owners (who usually cannot do it) and these will be notified months later, if at all.
That would be an idiotic idea. The proper way to handle this is to threaten device makers with gigantic penalties if their products are found to be insecure by default (measured against current good practice for duty of care [wikipedia.org]) and/or not maintained/updated on a reasonable schedule to remain secure. There are FAR too many technologically impaired end users to expect them to adjust the default settings to be something reasonably secure or to update the devices regularly. If this makes the devices cost more
Re: (Score:2)
That would be an idiotic idea.
Read the original article. That is essentially what they are planning to do and that is (one of) the reasons why I think the whole thing is a really bad idea.
Re: (Score:2)
This idea has traction because Japanese society is conformist in a way that makes home owners' associations look like anarchy. The government says they're going to do it, the press aren't going to really challenge them, and while there has been and will continue to be push-back from opposition parties and civil libertarians, Abe has the votes he needs to easily push this through.
Besides which, this idea of a massive public audit of IoT devices is not without merit. It would be another thing if the Abe admin
Re: (Score:2)
I agree on the politics.
But this is not an audit. This is a "survey" by scanning and hacking attempt. A pretty bad idea overall. What useful data is supposed to come out of this? IoT devices already hacked (and most vulnerable ones will be) have their vulnerabilities closed to they cannot be taken away from the successful attacker. Hence they do not show up on this "survey". The ones that show up will be the ones that have withstood attack so far and the ones that have been online for only a very short time
Re: (Score:2)
You seem to have understood absolutely nothing. But what can you expect from an AC?
Re: (Score:2)
A gov can do that via its networks that face all networks in Japan.
Most deices will then change from the easy lists of default passwords. People from China and North Korea expecting their lists of default passwords to grant access to many networks all over Japan will have to revert to other more complex methods to enter networks in Japan.
Such changes from a list of default network passwords might just get detected/blocked.
The easy days of using a list of de
Re: (Score:2)
Gov sends out a reminder that a site has network connected equipment that has default passwords.
Gov tests many sites and sends out many reminders to change the passwords.
Password policy is slowly changed all over Japan as the gov is now testing networks.
The cooperation with the government makes Japan stronger and more effective.
Attempt by China and North Korea to enter Japan by a network will now need more CPU power per attempt.
Should an attempt to get into a network b
Crap title. (Score:5, Informative)
Bad password but still hacking (Score:2)
This does not involve any "hacking" into anything. It simply unauthorized access by attempting default passwords, not hacking. Please fix the title. Thanks.
Exactly how does the fact that the password is easy to guess change the activity that is being performed in any way? It's hacking. The fact that it is hacking a second grader could do doesn't change that fact.
(and please spare us the standard geek indignation about the word hacking not meaning whatever positive thing you want it to mean)
Re:Bad password but still hacking (Score:4, Informative)
This isn't hacking, this is logging in, and unauthorized access.
Is it "breaking an entering" if you leave your front door open?
Re: (Score:2)
This is not "attempting to login with password dictionaries", this is "attempting to login with the default manufacturer passwords".
The goal here is to test which devices still have those insecure passwords, not "try to login at any cost using password dictionaries".
Re: (Score:3)
> It's also CRIMINAL
Ah, well that's just it, isn't it? It's not criminal activity if the Diet says it's legal.
Good (Score:2, Interesting)
This needs to be done to protect the dumbasses from themselves. Once they start to get educated about security then their digital footprint becomes a little safer but wy stop there, go to the manufactures of these devices and threaten traded sanctions if the manufactures do not do a better job at securing these things.
Re: (Score:2)
Or just make bricking insecure IoT crap legal. I'm fairly sure you'll find a lot of people doing just that for shits and giggles.
I wish the NSA did this (Score:2)
I would like the NSA to partner with corporations to secure these devices. It would be great if they started educating the public about exploits and helping manufacturers to close holes. Even foreign manufacturers. It is in the best interest of national security for the US not to have another major internet outage caused by insecure IoT devices. [slashdot.org]
We also need oversight in this area. Capitalism only works if the consumers know what they are buying. But people don't know. Similar to how we don't sell food
Re: (Score:2)
If the NSA partners with a manufacturer, I'm banning it from my purchasing list.
Working with the NSA equals mandated government backdoor.
Re: (Score:2)
We will never have a truly secure internet so long as western governments (and their agencies) continue to prioritize both mass surveillance and targeted cracking of devices and protocols over actual security.
Unless we can get the 5-eyes intelligence agencies to give up their wholesale data collection and spying and their attempts to get back doors, the forces pushing for insecurity will outweigh the forces pushing for security.
And I have no doubt that the Japanese intelligence agencies are just as focused
Re: (Score:2)
PRISM shows when and how the US gov gets its collect it all access.
Hacking?? (Score:2)
Just as someone providing the key to their house or car doesn't make it stealing if either is opened, logging into something isn't hacking!
Or to put it another way, when I log into my email, I'm not hacking into my email.
Either that, or if we're going to use "hack" for standard logging in, then we need a word for when you use subversive means to get around not having a password to achieve access that was meant to be prohibited.
Government employees... (Score:2)
... with warrant to go look through people's baby monitor cameras.
What could possibly go wrong?
Re: (Score:2)
You do know that the difference to now is that "warrant" part, yes?
Re: (Score:2)
Absolutely. If that public service is able to access it, so does the rest of the world. In fact, it should be incumbent to ISPs to make sure those devices cannot be easily turned into botnets. ISPs should scan for classical login/password and if found, set the firewall to block the device, send an email to the customer and let the customer remove the firewall rule when ready.
This should be one the basic services from an ISP.
And no this is not hacking, maybe not even unauthorized access. To give an analo
Re: (Score:2)
Forget "IoT devices"... there should be laws in every country to make anything with a "default password" illegal.
Hell, combination lock manufacturers can make them random. Why are software-based devices not doing it?
The US needs this (Score:2)
It's a commonsense approach to a serious problem. Hell, America could use citizen sleuths and crowdsource the effort.
Then, each sorry device could be reported to the owner aggregated and vendor's reps could be yelped.
I think it's a great idea.
Re: (Score:3)
No, it is an utter fail that ignores technological reality. First, most vulnerable devices will not be visible, because they have already been hacked and the vulnerability will have been closed (but the attacking bot-net owns the device). So they will not find the devices they need to find. And second, relying on ISPs and users to fix this will not accomplish anything.
Re: (Score:2)
And second, relying on ISPs and users to fix this will not accomplish anything.
What historical works support your statement?
Re: (Score:2)
Read up on them. I am not doing your homework.
Re: (Score:2)
Japan as a gov can detect such networked systems and ask any company to make a change.
Getting a letter from the gov of Japan and showing the change was made will accomplish something.
The company has two options once it gets told its networks need to be changed.
By doing the needed work and telling the gov it did the needed work.
By ignoring the gov letter and keeping its network as it was. Then telling the gov officially it did the needed "work"... Work it never did.
T
Re: (Score:2)
The FBI could not then enter a network and collect on a "spy" that was searching and moving data around if their deep network use was detected.
The USA is kept in a state of plain text, junk crypto, keys shared with the US gov for very good security reasons.
The NSA, US mil and FBI have to be able to track their workers and contractors work network and home "intern
Re: (Score:2)
What part of IoT did you miss?
Re: (Score:2)
That will make extra work for the FBI and NSA doing their testing and investigations of spies in the USA.
Default passwords that work without a trace and much effort allow for easy detection of spies by a few trusted teams of US investigators.
Secure the IoT and all other consumer networks the CIA, NSA, FBI cant get easy access to a worker/co
Completely worthless stunt (Score:2)
Since a lot of people here do not get it, I will post it again:
1. The devices vulnerable to this will already be part of a bot-net and the vulnerability will have been closed by the bot-net. Hence they will not even find most problematic devices.
2. They plan to let the ISPs and users fix this. This will accomplish absolutely nothing.
Re: (Score:2)
By "vulnerability", you mean the default password? Because from what I understood, this is what they're going to check.
Wouldn't users notice they can't log in their own devices anymore?
Re: (Score:2)
Since bot-nets compete for targets, the few users that notice they cannot log in anymore will be an acceptable loss. The bot-net must defend what it has successfully integrated in order to work. Also, a bot-net must make sure it does not compromise devices multiple times (or it becomes so inefficient as to become ineffective, this has been observed in the past) and the best way to do that is to close the attack vector. Keeping state (list of members) does not work for that purpose in large bot-nets, synchro
Re: (Score:2)
The "bot-nets" would have to be more complex to then try all random stronger passwords and risk getting detected per attempt in Japan.
Move to another nation that has no such policy and many more of its networks are on default passwords.
Shame manufacturers into making secure products... (Score:2)
I don’t know how successful that operation can be at getting consumers to fix their own setup (still, it’s worth trying), but it may well succeed in publicly shaming manufacturers of shoddy insecure designs (including lame default settings) and pressuring them to make better products. Even if consumers turn out to be too passive (or have too little knowledge) to fix the configuration of their own equipment, at least Japanese public opinion is sure to react to public announcements that XYZ produc
A state tampering IT with good intentions? (Score:2)
I'm afraid that even if the Japanese approach was actually true to its intentions, the next state announcing something like this will only do so as a cover-up for the next round of surveillance intrusion.
Re: (Score:2)
What the NSA, CGHQ will do to Japan will not change.