Japan's IoT Security Strategy: Break Into DevicesNation to Allow Researchers to Brute-Force 200 Million Devices
Japan plans to identity vulnerable internet of things devices the same way hackers do: by trying to log into them.
On Friday, the government approved a plan for a survey of the country's vulnerable devices, according to NHK World-Japan. The survey, due to start next month, will be carried out by the national ICT research agency, the National Institute of Information and Communications Technology.
In November, Japan passed a law that allowed NICT to access IoT devices for five years, NHK reports. The idea is that the survey will help reveal the country's vulnerability to cyberattacks ahead of it hosting of the 2020 Summer Olympics.
The agency will be allowed to scan for IoT devices and then attempt to log into the devices using lists of default and common credentials. The survey will cover some 200 million IoT devices, NHK reports. If vulnerable devices are found, the plan is to notify device owners. The Ministry of Internal Affairs and Communications published a Japanese document outlining the survey.
Japan's efforts are admirable, says Victor Gevers, co-founder of the GDI Foundation, a nonprofit security group based in the Netherlands that has worked on botnet remediation. (see Calling Telnet: Effort Focuses on Fixing IoT Devices).
"The GDI Foundation has reported and taken care of hundreds of thousands of online systems over the last few years," Gevers says. "When a government steps up, it sparks confidence and fuels desire that drives many volunteers who work hard to make the internet a safer place for everybody."
IoT: A Soft Spot
IoT devices have become an increasing source of security problems, both for their potential to expose sensitive data and weak security configurations.
One large issue is that manufacturers for years have shipped devices with weak or default login credentials. That's a big problem if a device, such as a security camera, is directly exposed to the internet.
Attackers search the internet for potentially weak devices and then attempt to log into them. Taking over a router could allow an attacker to snoop on traffic or change DNS settings, which can be a prelude to other data-stealing attacks.
Although IoT devices generally have low computing power, they're very suitable for distributed denial-of-service attacks. Corralled together as part of a botnet, the devices can collectively use their power to jam up other services by sending streams of garbage traffic.
The most notable attack that utilized poorly configured IoT devices was the Mirai botnet, which resulted in a series of powerful DDoS attacks (see: Fast-Spreading Mirai Worm Disrupts UK Broadband Providers).
Mirai was coded with a list of 64 hard-coded and default passwords. It also was a worm, so once it infected a device, it searched the internet for other devices, such as routers and digital video recorders used for private security cameras.
Mirai's firepower was targeted at several companies, including DNS services provider Dyn, in October 2016. The attack against Dyn resulted in some internet users not being able to resolve DNS queries to services such as Spotify and PayPal (see: Mirai Botnet Pummels Internet DNS in Unprecedented Attack).
Identifying potentially vulnerable IoT devices that face the internet can be accomplished using search engines such as Shodan, which allow for search queries based on certain parameters.
Once a device has been found, taking it to the next level - attempting to log into the device - is generally a criminal offense in most countries. That presumably is the case in Japan as well and the reason why the law had to be modified to make it legal for the survey (see: Could a Defensive Hack Fix the Internet of Things?).
With the law changed and permission to proceed, it should be easier to identify vulnerable devices. The larger problem is trying to resolve the vulnerabilities.
Fixing vulnerabilities that lead to large botnets has been vexing. A decade ago, attackers commandeered large networks of desktop computers via browser and operating system vulnerabilities.
Law enforcement agencies and private companies found success in shutting down the command-and-control servers for those botnets. But it left the problem of cleaning up infected devices, which usually involved the owners of those devices installing security patches. The problem has receded somewhat, aided by operating systems and browsers that automatically download and install patches.
In 2010, Dutch police took an aggressive step after shutting down a botnet known as Bredolab that spread malware by email and infected tens of millions computers. After Bredolab's command-and-control servers were seized, police delivered their own code to the infected computers. The code redirected victims to a website set up by the Netherlands Police Agency, which contained instructions on how to remove the malware.
But IoT devices pose unique problems. They're often used for years and forgotten. The device's manufacturer may no longer support the devices or issues patches. Devices often shipped with default credentials that were never change by owners, or, in some cases, couldn't be changed.
After Mirai, some IoT manufacturers pledge to improve their security, including mandating that customers change default credentials. The easy part for Japan will be finding the devices. But convincing users to take action, let alone replace devices that simply can't be fixed, will be on ongoing challenge.