New Japanese Law Lets Government Hack IOT Devices, Warn Owners They're Vulnerable

from the internet-of-broken-things dept

By now we've established pretty clearly that the well-hyped "internet of things" sector couldn't actually care less about security or privacy. Companies are in such a rush to cash in on our collective thirst for internet connected tea kettles and not-so-smart televisions, they don't much care if your new gadget was easily hacked or integrated into a DDoS botnet. And by the time security and privacy flaws have been discovered, companies and consumers alike are off to hyperventilate about the next must-have gadget, leaving untold millions of devices in the wild as new potential points of entry into home and business networks.

While most countries hem and haw without doing much of anything about the problem, Japan's government this week proposed a unique legislative solution. A new Japanese law (pdf) passed this week authorizes the Japanese government to actually hack into poorly-secured internet of things devices as part of the country's attempt to conduct a survey measuring the real scale of the problem:

"The survey will be carried out by employees of the National Institute of Information and Communications Technology (NICT) under the supervision of the Ministry of Internal Affairs and Communications. NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers' IoT devices.

Devices shipped with default username and passwords that users are too lazy (or technically incompetent) to change continue to be a huge problem in IOT devices and routers alike. Once the Japanese government has confirmed the vulnerability, it intends to send notices to impacted users in a bid to try and scare them into actually securing the devices. A Ministry of Internal Affairs and Communications report (pdf) was quick to note that attacks targeting poorly-secured IOT devices comprised two-thirds of all cyberattacks in 2016.

Obviously letting the government hack into consumer and business devices isn't being welcomed warmly in Japan, where many understandably don't trust government with such a task. But it's worth noting these kinds of "solutions" are only emerging in the wake of years of apathy contributing to a global crisis. A crisis many experts say will, inevitably, result in potential mass casualties as essential infrastructure becomes increasingly vulnerable. Collectively we've largely yawned at the problem since much of its impact is what security expert Bruce Schneier calls "invisible pollution:

"The market can't fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don't care. Their devices were cheap to buy, they still work, and they don't know any of the victims of the attacks. The sellers of those devices don't care: They're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."

While other solutions for this problem are being explored (like mandating the inclusion of privacy and security issues in product reviews), they've been few and far between in actually materializing, since giving a damn will actually cost money. Experts like Schneier have long argued that given this market and consumer failure, government needs to play some role in coordinating some rules of the road for flimsy IOT security. Perhaps letting government itself hack into your poorly secured Barbie is a bridge too far (who'd follow up to confirm government didn't abuse the privilege?). But if that's the case, what's the solution?

Filed Under: hacking, iot, japan, nict, proactive hacking, security


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    discordian_eris (profile), 31 Jan 2019 @ 10:53am

    Agree with Doctorow and Boing Boing

    It should really be called IoS, not IoT.

    Internet of Shit not Internet of Things.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 31 Jan 2019 @ 11:16am

      Re: Agree with Doctorow and Boing Boing

      Well you are over looking something "IoT" stands for "Internet Of shitty Things" (or "Internet Of Trash"). The 's' is silently dropped because it isn't as aesthetically pleasing (which is like all 4% of the concern of most people regarding IoT... the other 95% of concern is fictional, and 1% undecided).

      reply to this | link to this | view in chronology ]

      • icon
        Stephen T. Stone (profile), 31 Jan 2019 @ 11:37am

        Re: Re: Agree with Doctorow and Boing Boing

        Better naming idea: The Network of Personal Electronics. After all, once people learn about all this bullshit being done with their Echos and whatnot, the typical reaction is NOPE.

        reply to this | link to this | view in chronology ]

      • icon
        discordian_eris (profile), 31 Jan 2019 @ 6:51pm

        Re: Re: Agree with Doctorow and Boing Boing

        It is more sensible to call things what they are up front. IoS - Internet of Shit. Not called that generally due to media being averse to saying 'shit'. DRM - Digital Restrictions Management not 'rights' management as it has nothing to do with the purchasers rights. The list, especially in tech, is near endless.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Jan 2019 @ 11:22am

    yet again the govt can do something that anyone/everyone else would get locked up for! strange how the world is still being taken over, without any bullets or bombs being used, but achieving the same thing! putting these various countries under the rule of the rich and powerful while ensuring it's illegal to make ordinary people aware of what these fuckers are up to! ie, basically, a world of slavery, run by those of the same mindset as the ones who used weapons 70+ years ago!

    reply to this | link to this | view in chronology ]

    • identicon
      norahc, 31 Jan 2019 @ 12:17pm

      Re:

      Given the rest of our stuff the government believes it can hack at will with no accountability, this is actually kind if refreshing. Government admitting it is going to hack pretty much whatever they want.

      And maybe if consumers care enough about the government snooping on them, they'll stop buying these devices or insist on privacy and security features.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 31 Jan 2019 @ 12:23pm

      Re:

      yet again the govt can do something that anyone/everyone else would get locked up for!

      The actual government scanning doesn't even need to happen. They just need to say they're going to scan on a certain date; then scans from official-looking hostnames will happen and we'll find that all of the default passwords will have been changed.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 31 Jan 2019 @ 1:21pm

      Re:

      Arguably, there are some things that government should be doing that its citizens should not have to do. For example, feeding the poor and destitute. Oh - also maintaining an army for self defense ... but not imperialistic war mongering.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 31 Jan 2019 @ 3:35pm

      Re:

      Personally, there are certain activities that I believe individuals and corporations should be barred from pursuing that I think the government under full transparency should be allowed to do. This ensures that some level of protocol is followed and there is accountability in place.

      For me, this falls nicely into that category. After all, the government can already do what they're proposing without notifying anyone and get away with it. So the fact that they're making a formal program out of it means that things will be better managed, not worse.

      But yeah, one thing that has to be stopped is government programs with no transparency or accountability. Especially with network scans, the government should be required to publish the full reports of their activities. That way, if anyone fails to secure their network after the notification, the entire world will know.

      reply to this | link to this | view in chronology ]

    • icon
      Bergman (profile), 1 Feb 2019 @ 4:19am

      Re:

      This. Another example is that if you tried to structure a pension plan the way the US government currently operates social security, you'd get the cell next to Bernie Madoff for running a Ponzi scheme.

      reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 31 Jan 2019 @ 3:31pm

    The New Japanese Law

    Does the new law let the government hack IoT devices, and then not warn owners they're vulnerable.

    Because here in the states, that's what would happen.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 31 Jan 2019 @ 3:36pm

      Re: The New Japanese Law

      You mean in the US, that's what already happens. All records get shrouded by the security clause and you have to know what to ask for and file a lawsuit to get any of the information.

      reply to this | link to this | view in chronology ]

  • icon
    Bergman (profile), 1 Feb 2019 @ 4:17am

    Hacking IoT vs Hackbacks?

    I wonder what will happen if someone, somewhere, gets their device hacked this way at a government facility, or who occupies an important official post. Perhaps in France, or a French ambassador to Japan.

    Will France hack the Japanese government right back?

    reply to this | link to this | view in chronology ]

  • icon
    Jinxed Violynne (profile), 1 Feb 2019 @ 4:56am

    "Once the Japanese government has confirmed the vulnerability, it intends to send notices to impacted users in a bid to try and scare them into actually securing the devices."

    Hopefully using a secured connection, since most IoT communications are not secured, hence they're vulnerability with a password change.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Feb 2019 @ 5:13am

    In Soviet Russia...wait, no...In Buddist Japan, government hacks you!

    reply to this | link to this | view in chronology ]

  • identicon
    I.T. Guy, 1 Feb 2019 @ 8:40am

    Sounds like the Japanese just wrote themselves a law to hack foreign computers.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown for basic formatting. (HTML is not supported.)
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown for basic formatting. (HTML is not supported.)
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.