Japanese Government to probe insecure IoT devices

Japanese Government to probe insecure IoT devices

The Japanese government passed a law in which authorized to the National Institute of Communications and Technology (NICT) to use dictionary-alike attacks to IoT devices around the nation. Basically, default passwords list, overuse ones and easy to guess passwords will be used from February 2019 against internet-discoverable devices indistinctly of being public or private. The reason of this decision is to improve preparedness for different important events coming to Japan from this year:

1. The new emperor coronation in April, which also will change the Era name in Japan from the current one Heisei to a new one that will be decided.
2. The Rugby World Cup from September 2019, this is consider a rehearsal for the most important even next year.
3. Tokyo Olympics in 2020, this is the main reason behind the decision of the government to take action this year finding weak passwords in IoT devices.

Additional concerns are coming from enterprises, the reason is simple, these activities could generate alerts in enterprise infrastructures depending on their configurations and monitoring level.

Therefore enterprises are concern; since the probing activity might use the same techniques and possible tools than potential malicious actors, moreover no technical details have been shared; therefore there is no way to correctly identify and whitelist (which could lead us to a very different discussion) the “suspicious” traffic, in this case attackers could use this probing activities in order to hide in plain sight. Security teams and SOCs are concern and expecting an increase of traffic.

This activity could prove itself useful, but at the same time bad actors could potentially take advantage. From behind all perimeter defenses, hopefully enterprises are ready and well organized for this, especially since they had 4 years to improve their infrastructure, process and human resources to face these activities.

References

1. https://www.darkreading.com/attacks-breaches/japan-authorizes-iot-hacking/d/d-id/1333745
2. https://threatpost.com/japan-insecure-iot-devices/141304/
3. https://www.itpro.co.uk/policy-legislation/32848/japan-law-will-allow-government-to-hack-civilian-iot-devices