Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Japan Security IT Technology

Japanese Government Plans To Hack Into Citizens' IoT Devices (zdnet.com) 96

An anonymous reader writes: The Japanese government approved a law amendment on Friday that will allow government workers to hack into people's Internet of Things devices as part of an unprecedented survey of insecure IoT devices. The survey will be carried out by employees of the National Institute of Information and Communications Technology (NICT) under the supervision of the Ministry of Internal Affairs and Communications.

NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers' IoT devices. The plan is to compile a list of insecure devices that use default and easy-to-guess passwords and pass it on to authorities and the relevant internet service providers, so they can take measures to alert consumers and secure the devices. The survey is scheduled to kick off next month, when authorities plan to test the password security of over 200 million IoT devices, beginning with routers and web cameras. Devices in people's homes and on enterprise networks will be tested alike

This discussion has been archived. No new comments can be posted.

Japanese Government Plans To Hack Into Citizens' IoT Devices

Comments Filter:
  • I was wondering when the low lying fruit would be harvested. But why stop at surveying weak links in the net chain? Hack them right to dev/null, get them the fuck off the internet. That would be a solid security endeavor.

  • I do really not understand why such insane ideas get traction at all. Buy one of each of these and hack them in a lab, sure. But hack devices deployed out there by a large and diverse group of people? Pure insanity.

    • If they don't do it, someone else will.
      • by gweihir ( 88907 )

        Somebody else will do it even if they do. So you think adding one more attacker is sane?

        • Yes. I've hacked various networks and then left messages for the admin to fix the vulnerability. Was me doing that worse for them?

          As long as the Japanese government is honest about the aim of this project, then the end result will be a benefit for the people of Japan. Of course some transparency and third-party verification would be nice to keep them honest. But there's nothing inherently harmful about what they're doing.

          • by gweihir ( 88907 )

            Well, if you are not flat-out lying, I hope there is some nice prison-time in your future. You are part of the problem.

            • And you're the reason we can't have sensible laws.

            • Because he was playing around seeing what he could do, found hackable network and informed the owners? Sure he could have held the network for ransom I'm sure that would be better for everyone.. people like you are what's wrong with the world. I now understand why you post the things you do. You feel you're better than everybody else.

          • by AmiMoJo ( 196126 )

            What will they do if they find a vulnerable device? They could trace the IP address back to an ISP and ask them to contact the customer I guess. But what if they find some device that is vulnerable to an attack being used in the wild, or even already infected?

            Ethically shutting it down or patching it is acceptable, but legally?

            • Legally, they're the Japanese government and I doubt there's much stopping them. Would be different in the states.

              Even if they don't have the legal authority to patch it, they could almost certainly order the ISP to take that IP offline until the customer has been contacted and has patched the issue.

            • by AHuxley ( 892839 )
              Every network facing password in Japan could be inspected by the gov.
              Any that respond to a default password get a request to upgrade, change the password.
              The gov tests again. Who took the advice. Who did not.
              When China and North Korea enter a computer network in Japan the review will then ask about the password policy.
              Was anything left open as a default after the gov issued its results and asked for a password change?
              Can the company show it followed best practice and had changed its passwords as it w
        • If you brick it after hacking it, you at least remove it from the pool of potential DDoS drones.

          • by gweihir ( 88907 )

            Now, _that_ would be an idea. But this idea is also incompatible with modern ideas of right and wrong and generally is considered a criminal act as you are destroying property that is not yours without permission. We do have some exceptions for emergency conditions, like a fire marshal being allowed to order the evacuation or demolition of a building if it represents a direct danger to human life. In the IoT-field we do not have such laws and human life is not threatened (at least not yet).

            • You have seen the DDoSes from 1-2 years ago amplified by crappy IoT devices?

              Do you know why they stopped?

              Human lives are one thing, but threaten businesses and you'll see laws change!

    • by Anonymous Coward

      "But hack devices deployed out there by a large and diverse group of people? Pure insanity." - Hacking devices with little-to-no security to inoculate them from botnets is pure insanity? Pray tell what do you find sane about the internet?

      Is it not pure insanity to put null-security hardcoded credential IP devices on the internet GENERALLY? Why would preparing to mitigate their ongoing chronic and future abuse be the insanity here?

      • by gweihir ( 88907 )

        Where in the story do you find anything about "inoculating"? This is a survey and they will leave the devices widely open, possibly more open than before. The "securing" is left to the owners (who usually cannot do it) and these will be notified months later, if at all.

        • by Anonymous Coward

          Where in the story do you find anything about "possibly more open than before"? The survey is part of the effort to identify devices that need securing, a first step towards that goal obviously. Do you not get that?

          • by gweihir ( 88907 )

            Where in the story do you find anything about "possibly more open than before"?

            That is expert knowledge about how "hacking" works. You obviously have none of that.

        • The "securing" is left to the owners (who usually cannot do it) and these will be notified months later, if at all.

          That would be an idiotic idea. The proper way to handle this is to threaten device makers with gigantic penalties if their products are found to be insecure by default (measured against current good practice for duty of care [wikipedia.org]) and/or not maintained/updated on a reasonable schedule to remain secure. There are FAR too many technologically impaired end users to expect them to adjust the default settings to be something reasonably secure or to update the devices regularly. If this makes the devices cost more

          • by gweihir ( 88907 )

            That would be an idiotic idea.

            Read the original article. That is essentially what they are planning to do and that is (one of) the reasons why I think the whole thing is a really bad idea.

    • by MAXOMENOS ( 9802 )

      This idea has traction because Japanese society is conformist in a way that makes home owners' associations look like anarchy. The government says they're going to do it, the press aren't going to really challenge them, and while there has been and will continue to be push-back from opposition parties and civil libertarians, Abe has the votes he needs to easily push this through.

      Besides which, this idea of a massive public audit of IoT devices is not without merit. It would be another thing if the Abe admin

      • by gweihir ( 88907 )

        I agree on the politics.

        But this is not an audit. This is a "survey" by scanning and hacking attempt. A pretty bad idea overall. What useful data is supposed to come out of this? IoT devices already hacked (and most vulnerable ones will be) have their vulnerabilities closed to they cannot be taken away from the successful attacker. Hence they do not show up on this "survey". The ones that show up will be the ones that have withstood attack so far and the ones that have been online for only a very short time

        • by AHuxley ( 892839 )
          It will detect all the devices left on default.
          A gov can do that via its networks that face all networks in Japan.
          Most deices will then change from the easy lists of default passwords. People from China and North Korea expecting their lists of default passwords to grant access to many networks all over Japan will have to revert to other more complex methods to enter networks in Japan.
          Such changes from a list of default network passwords might just get detected/blocked.
          The easy days of using a list of de
    • by AHuxley ( 892839 )
      List of default passwords exist.
      Gov sends out a reminder that a site has network connected equipment that has default passwords.
      Gov tests many sites and sends out many reminders to change the passwords.
      Password policy is slowly changed all over Japan as the gov is now testing networks.
      The cooperation with the government makes Japan stronger and more effective.
      Attempt by China and North Korea to enter Japan by a network will now need more CPU power per attempt.

      Should an attempt to get into a network b
  • Crap title. (Score:5, Informative)

    by andydread ( 758754 ) on Monday January 28, 2019 @10:08AM (#58033864)
    This does not involve any "hacking" into anything. It simply unauthorized access by attempting default passwords, not hacking. Please fix the title. Thanks.
    • This does not involve any "hacking" into anything. It simply unauthorized access by attempting default passwords, not hacking. Please fix the title. Thanks.

      Exactly how does the fact that the password is easy to guess change the activity that is being performed in any way? It's hacking. The fact that it is hacking a second grader could do doesn't change that fact.

      (and please spare us the standard geek indignation about the word hacking not meaning whatever positive thing you want it to mean)

  • Good (Score:2, Interesting)

    by Anonymous Coward

    This needs to be done to protect the dumbasses from themselves. Once they start to get educated about security then their digital footprint becomes a little safer but wy stop there, go to the manufactures of these devices and threaten traded sanctions if the manufactures do not do a better job at securing these things.

  • I would like the NSA to partner with corporations to secure these devices. It would be great if they started educating the public about exploits and helping manufacturers to close holes. Even foreign manufacturers. It is in the best interest of national security for the US not to have another major internet outage caused by insecure IoT devices. [slashdot.org]

    We also need oversight in this area. Capitalism only works if the consumers know what they are buying. But people don't know. Similar to how we don't sell food

    • If the NSA partners with a manufacturer, I'm banning it from my purchasing list.
      Working with the NSA equals mandated government backdoor.

    • by jonwil ( 467024 )

      We will never have a truly secure internet so long as western governments (and their agencies) continue to prioritize both mass surveillance and targeted cracking of devices and protocols over actual security.

      Unless we can get the 5-eyes intelligence agencies to give up their wholesale data collection and spying and their attempts to get back doors, the forces pushing for insecurity will outweigh the forces pushing for security.

      And I have no doubt that the Japanese intelligence agencies are just as focused

    • by AHuxley ( 892839 )
      The NSA has all the keys to junk crypto products sold and that are approved for export.
      PRISM shows when and how the US gov gets its collect it all access.
  • Just as someone providing the key to their house or car doesn't make it stealing if either is opened, logging into something isn't hacking!

    Or to put it another way, when I log into my email, I'm not hacking into my email.

    Either that, or if we're going to use "hack" for standard logging in, then we need a word for when you use subversive means to get around not having a password to achieve access that was meant to be prohibited.

  • ... with warrant to go look through people's baby monitor cameras.

    What could possibly go wrong?

    • You do know that the difference to now is that "warrant" part, yes?

  • It's a commonsense approach to a serious problem. Hell, America could use citizen sleuths and crowdsource the effort.

    Then, each sorry device could be reported to the owner aggregated and vendor's reps could be yelped.

    I think it's a great idea.

    • by gweihir ( 88907 )

      No, it is an utter fail that ignores technological reality. First, most vulnerable devices will not be visible, because they have already been hacked and the vulnerability will have been closed (but the attacking bot-net owns the device). So they will not find the devices they need to find. And second, relying on ISPs and users to fix this will not accomplish anything.

      • And second, relying on ISPs and users to fix this will not accomplish anything.

        What historical works support your statement?

      • by AHuxley ( 892839 )
        Default password lists exist.
        Japan as a gov can detect such networked systems and ask any company to make a change.
        Getting a letter from the gov of Japan and showing the change was made will accomplish something.
        The company has two options once it gets told its networks need to be changed.
        By doing the needed work and telling the gov it did the needed work.
        By ignoring the gov letter and keeping its network as it was. Then telling the gov officially it did the needed "work"... Work it never did.
        T
    • by AHuxley ( 892839 )
      The NSA could not then track all the US mil/gov workers and see who is searching for what in real time if real strong network security existed.
      The FBI could not then enter a network and collect on a "spy" that was searching and moving data around if their deep network use was detected.
      The USA is kept in a state of plain text, junk crypto, keys shared with the US gov for very good security reasons.
      The NSA, US mil and FBI have to be able to track their workers and contractors work network and home "intern
      • What part of IoT did you miss?

        • by AHuxley ( 892839 )
          If the US starts fixing the IoT and getting good results with its improved IoT security then people in the US gov will want to fix their own wide open gov network too.
          That will make extra work for the FBI and NSA doing their testing and investigations of spies in the USA.
          Default passwords that work without a trace and much effort allow for easy detection of spies by a few trusted teams of US investigators.
          Secure the IoT and all other consumer networks the CIA, NSA, FBI cant get easy access to a worker/co
  • Since a lot of people here do not get it, I will post it again:
    1. The devices vulnerable to this will already be part of a bot-net and the vulnerability will have been closed by the bot-net. Hence they will not even find most problematic devices.
    2. They plan to let the ISPs and users fix this. This will accomplish absolutely nothing.

    • By "vulnerability", you mean the default password? Because from what I understood, this is what they're going to check.

      Wouldn't users notice they can't log in their own devices anymore?

      • by gweihir ( 88907 )

        Since bot-nets compete for targets, the few users that notice they cannot log in anymore will be an acceptable loss. The bot-net must defend what it has successfully integrated in order to work. Also, a bot-net must make sure it does not compromise devices multiple times (or it becomes so inefficient as to become ineffective, this has been observed in the past) and the best way to do that is to close the attack vector. Keeping state (list of members) does not work for that purpose in large bot-nets, synchro

        • by AHuxley ( 892839 )
          Japan would be not as productive for bot-nets that expect a simple default list of expected passwords to get started.
          The "bot-nets" would have to be more complex to then try all random stronger passwords and risk getting detected per attempt in Japan.
          Move to another nation that has no such policy and many more of its networks are on default passwords.
  • I don’t know how successful that operation can be at getting consumers to fix their own setup (still, it’s worth trying), but it may well succeed in publicly shaming manufacturers of shoddy insecure designs (including lame default settings) and pressuring them to make better products. Even if consumers turn out to be too passive (or have too little knowledge) to fix the configuration of their own equipment, at least Japanese public opinion is sure to react to public announcements that XYZ produc

  • If this story is true, then (regardless of its actual usefulness for the purpose) it would be a new, unique kind of event. So far, whenever we heard state agencies tampering with IT, it was for the worst of intentions, insecuring devices by planting back-doors into them.

    I'm afraid that even if the Japanese approach was actually true to its intentions, the next state announcing something like this will only do so as a cover-up for the next round of surveillance intrusion.
    • by AHuxley ( 892839 )
      It will keep out the attempts that always expected default passwords on internet facing systems.
      What the NSA, CGHQ will do to Japan will not change.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...