New Japanese Law Lets Government Hack IOT Devices, Warn Owners They're Vulnerable

from the internet-of-broken-things dept

By now we’ve established pretty clearly that the well-hyped “internet of things” sector couldn’t actually care less about security or privacy. Companies are in such a rush to cash in on our collective thirst for internet connected tea kettles and not-so-smart televisions, they don’t much care if your new gadget was easily hacked or integrated into a DDoS botnet. And by the time security and privacy flaws have been discovered, companies and consumers alike are off to hyperventilate about the next must-have gadget, leaving untold millions of devices in the wild as new potential points of entry into home and business networks.

While most countries hem and haw without doing much of anything about the problem, Japan’s government this week proposed a unique legislative solution. A new Japanese law (pdf) passed this week authorizes the Japanese government to actually hack into poorly-secured internet of things devices as part of the country’s attempt to conduct a survey measuring the real scale of the problem:

“The survey will be carried out by employees of the National Institute of Information and Communications Technology (NICT) under the supervision of the Ministry of Internal Affairs and Communications. NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers’ IoT devices.

Devices shipped with default username and passwords that users are too lazy (or technically incompetent) to change continue to be a huge problem in IOT devices and routers alike. Once the Japanese government has confirmed the vulnerability, it intends to send notices to impacted users in a bid to try and scare them into actually securing the devices. A Ministry of Internal Affairs and Communications report (pdf) was quick to note that attacks targeting poorly-secured IOT devices comprised two-thirds of all cyberattacks in 2016.

Obviously letting the government hack into consumer and business devices isn’t being welcomed warmly in Japan, where many understandably don’t trust government with such a task. But it’s worth noting these kinds of “solutions” are only emerging in the wake of years of apathy contributing to a global crisis. A crisis many experts say will, inevitably, result in potential mass casualties as essential infrastructure becomes increasingly vulnerable. Collectively we’ve largely yawned at the problem since much of its impact is what security expert Bruce Schneier calls “invisible pollution:

“The market can’t fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don’t care. Their devices were cheap to buy, they still work, and they don’t know any of the victims of the attacks. The sellers of those devices don’t care: They’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.”

While other solutions for this problem are being explored (like mandating the inclusion of privacy and security issues in product reviews), they’ve been few and far between in actually materializing, since giving a damn will actually cost money. Experts like Schneier have long argued that given this market and consumer failure, government needs to play some role in coordinating some rules of the road for flimsy IOT security. Perhaps letting government itself hack into your poorly secured Barbie is a bridge too far (who’d follow up to confirm government didn’t abuse the privilege?). But if that’s the case, what’s the solution?

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “New Japanese Law Lets Government Hack IOT Devices, Warn Owners They're Vulnerable”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Agree with Doctorow and Boing Boing

Well you are over looking something "IoT" stands for "Internet Of shitty Things" (or "Internet Of Trash"). The ‘s’ is silently dropped because it isn’t as aesthetically pleasing (which is like all 4% of the concern of most people regarding IoT… the other 95% of concern is fictional, and 1% undecided).

discordian_eris (profile) says:

Re: Re: Agree with Doctorow and Boing Boing

It is more sensible to call things what they are up front. IoS – Internet of Shit. Not called that generally due to media being averse to saying ‘shit’. DRM – Digital Restrictions Management not ‘rights’ management as it has nothing to do with the purchasers rights. The list, especially in tech, is near endless.

Anonymous Coward says:

yet again the govt can do something that anyone/everyone else would get locked up for! strange how the world is still being taken over, without any bullets or bombs being used, but achieving the same thing! putting these various countries under the rule of the rich and powerful while ensuring it’s illegal to make ordinary people aware of what these fuckers are up to! ie, basically, a world of slavery, run by those of the same mindset as the ones who used weapons 70+ years ago!

norahc (profile) says:

Re: Re:

Given the rest of our stuff the government believes it can hack at will with no accountability, this is actually kind if refreshing. Government admitting it is going to hack pretty much whatever they want.

And maybe if consumers care enough about the government snooping on them, they’ll stop buying these devices or insist on privacy and security features.

Anonymous Coward says:

Re: Re:

yet again the govt can do something that anyone/everyone else would get locked up for!

The actual government scanning doesn’t even need to happen. They just need to say they’re going to scan on a certain date; then scans from official-looking hostnames will happen and we’ll find that all of the default passwords will have been changed.

Anonymous Coward says:

Re: Re:

Personally, there are certain activities that I believe individuals and corporations should be barred from pursuing that I think the government under full transparency should be allowed to do. This ensures that some level of protocol is followed and there is accountability in place.

For me, this falls nicely into that category. After all, the government can already do what they’re proposing without notifying anyone and get away with it. So the fact that they’re making a formal program out of it means that things will be better managed, not worse.

But yeah, one thing that has to be stopped is government programs with no transparency or accountability. Especially with network scans, the government should be required to publish the full reports of their activities. That way, if anyone fails to secure their network after the notification, the entire world will know.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...