Slashdot Mirror

← Back to Stories (view on slashdot.org)

Japanese Government Plans To Hack Into Citizens' IoT Devices (zdnet.com)

Posted by msmash on from the how-about-that dept.

An anonymous reader writes: The Japanese government approved a law amendment on Friday that will allow government workers to hack into people's Internet of Things devices as part of an unprecedented survey of insecure IoT devices. The survey will be carried out by employees of the National Institute of Information and Communications Technology (NICT) under the supervision of the Ministry of Internal Affairs and Communications.

NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers' IoT devices. The plan is to compile a list of insecure devices that use default and easy-to-guess passwords and pass it on to authorities and the relevant internet service providers, so they can take measures to alert consumers and secure the devices. The survey is scheduled to kick off next month, when authorities plan to test the password security of over 200 million IoT devices, beginning with routers and web cameras. Devices in people's homes and on enterprise networks will be tested alike

96 comments

  1. In before spoofing as NICT by Anonymous Coward · · Score: 0

    manufacturers probably will have to whitelist them too

  2. Hack every single IOT device right off the net by Anonymous Coward · · Score: 1

    I was wondering when the low lying fruit would be harvested. But why stop at surveying weak links in the net chain? Hack them right to dev/null, get them the fuck off the internet. That would be a solid security endeavor.

    1. Re: Hack every single IOT device right off the net by Anonymous Coward · · Score: 0

      You could just remove the devices from the internet but you don't know how many grandmas are going to be left confused with a "suddenly broken" web camera. In the worst case expect to cut off a few families. Maybe even kill a few elderly people because they can't contact their caregivers.

      Just because you know what a hosts file is and how a firewall works doesn't mean we go killing people that don't. That's a dangerously arrogant elitist jerk approach.

    2. Re: Hack every single IOT device right off the net by Anonymous Coward · · Score: 0

      Why would anyone die?

      People don't put their lives in the hand of a new untested "IoT" thing. Especially not the elderly who often enough fail to operate any phone equipped with a "touch screen".

      Currently, IoT == toys. And the occational autonomous lawnmover.

  3. What could possibly go wrong.... by gweihir · · Score: 0

    I do really not understand why such insane ideas get traction at all. Buy one of each of these and hack them in a lab, sure. But hack devices deployed out there by a large and diverse group of people? Pure insanity.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:What could possibly go wrong.... by olsmeister · · Score: 1

      If they don't do it, someone else will.

    2. Re:What could possibly go wrong.... by gweihir · · Score: 1

      Somebody else will do it even if they do. So you think adding one more attacker is sane?

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:What could possibly go wrong.... by MAXOMENOS · · Score: 1

      This idea has traction because Japanese society is conformist in a way that makes home owners' associations look like anarchy. The government says they're going to do it, the press aren't going to really challenge them, and while there has been and will continue to be push-back from opposition parties and civil libertarians, Abe has the votes he needs to easily push this through.

      Besides which, this idea of a massive public audit of IoT devices is not without merit. It would be another thing if the Abe administration were pushing for back doors in all IoT devices (which, as far as I can tell, they are not ).

      --
      Finding God in a Dog
    4. Re: What could possibly go wrong.... by c6gunner · · Score: 2

      Yes. I've hacked various networks and then left messages for the admin to fix the vulnerability. Was me doing that worse for them?

      As long as the Japanese government is honest about the aim of this project, then the end result will be a benefit for the people of Japan. Of course some transparency and third-party verification would be nice to keep them honest. But there's nothing inherently harmful about what they're doing.

    5. Re:What could possibly go wrong.... by gweihir · · Score: 1

      I agree on the politics.

      But this is not an audit. This is a "survey" by scanning and hacking attempt. A pretty bad idea overall. What useful data is supposed to come out of this? IoT devices already hacked (and most vulnerable ones will be) have their vulnerabilities closed to they cannot be taken away from the successful attacker. Hence they do not show up on this "survey". The ones that show up will be the ones that have withstood attack so far and the ones that have been online for only a very short time.

      The whole thing is useless and potentially dangerous as it will provide deeply flawed data.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    6. Re:What could possibly go wrong.... by Opportunist · · Score: 1

      If you brick it after hacking it, you at least remove it from the pool of potential DDoS drones.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    7. Re:What could possibly go wrong.... by Anonymous Coward · · Score: 0

      A survey and an audit are essentially the same, the goal is to identify vulnerable devices ahead of getting them either fixed or disabled. Unsecured IP-capable devices are a global problem. Why is this so hard for you to get?

      Stop opining out your ass, thanks. This is a first step, not the only thing they'll do about it. "potentially dangerous" = assumptive bullshit presented as fact as you just did.

    8. Re:What could possibly go wrong.... by gweihir · · Score: 1

      You seem to have understood absolutely nothing. But what can you expect from an AC?

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    9. Re: What could possibly go wrong.... by gweihir · · Score: 1

      Well, if you are not flat-out lying, I hope there is some nice prison-time in your future. You are part of the problem.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    10. Re:What could possibly go wrong.... by gweihir · · Score: 1

      Now, _that_ would be an idea. But this idea is also incompatible with modern ideas of right and wrong and generally is considered a criminal act as you are destroying property that is not yours without permission. We do have some exceptions for emergency conditions, like a fire marshal being allowed to order the evacuation or demolition of a building if it represents a direct danger to human life. In the IoT-field we do not have such laws and human life is not threatened (at least not yet).

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    11. Re: What could possibly go wrong.... by c6gunner · · Score: 1

      And you're the reason we can't have sensible laws.

    12. Re: What could possibly go wrong.... by AmiMoJo · · Score: 1

      What will they do if they find a vulnerable device? They could trace the IP address back to an ISP and ask them to contact the customer I guess. But what if they find some device that is vulnerable to an attack being used in the wild, or even already infected?

      Ethically shutting it down or patching it is acceptable, but legally?

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    13. Re: What could possibly go wrong.... by c6gunner · · Score: 1

      Legally, they're the Japanese government and I doubt there's much stopping them. Would be different in the states.

      Even if they don't have the legal authority to patch it, they could almost certainly order the ISP to take that IP offline until the customer has been contacted and has patched the issue.

    14. Re: What could possibly go wrong.... by Highdude702 · · Score: 1

      Because he was playing around seeing what he could do, found hackable network and informed the owners? Sure he could have held the network for ransom I'm sure that would be better for everyone.. people like you are what's wrong with the world. I now understand why you post the things you do. You feel you're better than everybody else.

    15. Re:What could possibly go wrong.... by Anonymous Coward · · Score: 0

      Using the default password on a stock device in the lab would be pointless.

      The question this is likely intending to answer is: "how widespread is this vulnerability in deployed devices?". That is do people actually not change the default password and otehr settings (likely) or is the fear mongering overblown (as the manufacturers are likely saying). Another question might be "what portion of these devices are adequately protected by other measures that using the default password is not a significant problem?"

      If you wanted to pass a law requiring stricter security on IOT devices and were facing opposition stemming from lobbying efforts by the manufacturers, actually doing this sort of study to prove the need makes sense.

    16. Re: What could possibly go wrong.... by Anonymous Coward · · Score: 0

      What you're doing is functionally similar to entering someone's home and leaving a note that encourages them to buy better locks.

      At best it's creepy as fuck, and is unacceptable behavior in a civilized society even if it strictly speaking doesn't do any material harm.

    17. Re: What could possibly go wrong.... by c6gunner · · Score: 1

      Your analogy fails because every single one of us knows (or should know) that our houses are insecure. Lockpicking is shit simple - I do that for fun also - but even without picking locks anyone can get into your house by busting a window, or breaking down the door. Houses aren't meant to be secure, and very few people are interested in implementing the kind of security needed to make them secure. Whereas every admin I've ever met wants to do everything he can to make sure his systems are secure.

      In any event, I'm OK with you thinking I'm creepy. That's a subjective valuation which means little to me. I'm not OK with the other fuckwit claiming I'm causing harm.

    18. Re: What could possibly go wrong.... by Anonymous Coward · · Score: 0

      If you saw that someone's door is wide open, it would make sense to indorm him/her about it.

    19. Re:What could possibly go wrong.... by AHuxley · · Score: 1

      List of default passwords exist.
      Gov sends out a reminder that a site has network connected equipment that has default passwords.
      Gov tests many sites and sends out many reminders to change the passwords.
      Password policy is slowly changed all over Japan as the gov is now testing networks.
      The cooperation with the government makes Japan stronger and more effective.
      Attempt by China and North Korea to enter Japan by a network will now need more CPU power per attempt.

      Should an attempt to get into a network be proved to have been using a default password after getting a gov reminder to change the password?
      That could change the way the gov views the computer crime. From getting hacked and having a strong password policy.
      To having not taken the past gov advice and then left a network wide open.

      --
      Domestic spying is now "Benign Information Gathering"
    20. Re: What could possibly go wrong.... by AHuxley · · Score: 1

      Every network facing password in Japan could be inspected by the gov.
      Any that respond to a default password get a request to upgrade, change the password.
      The gov tests again. Who took the advice. Who did not.
      When China and North Korea enter a computer network in Japan the review will then ask about the password policy.
      Was anything left open as a default after the gov issued its results and asked for a password change?
      Can the company show it followed best practice and had changed its passwords as it was asked to do?
      A company that changed its passwords all be ok.
      A company that failed to take the "advice" when requested by the gov?
      That will open up further questions.

      --
      Domestic spying is now "Benign Information Gathering"
    21. Re:What could possibly go wrong.... by AHuxley · · Score: 1

      It will detect all the devices left on default.
      A gov can do that via its networks that face all networks in Japan.
      Most deices will then change from the easy lists of default passwords. People from China and North Korea expecting their lists of default passwords to grant access to many networks all over Japan will have to revert to other more complex methods to enter networks in Japan.
      Such changes from a list of default network passwords might just get detected/blocked.
      The easy days of using a list of default passwords is then over on average.

      --
      Domestic spying is now "Benign Information Gathering"
    22. Re: What could possibly go wrong.... by Anonymous Coward · · Score: 0

      Demonstrate harm. Bitch more.

      That's not an either-or. I'm just announcing that, at best, you'll attempt one and the other will come out.

    23. Re: What could possibly go wrong.... by Anonymous Coward · · Score: 0

      Ethically shutting it down or patching it is acceptable, but legally?

      Legal is not a problem when you are the government and making a law especially to do exactly this.

      Ethically this is excellent. Deploying devices that can be taken over by using default passwords over the net - that is dangerous. That is not ethical, if the devices can be used for further harm.

      Having the government doing pen testing on the population's IoT devices is a good thing. Get bad devices off the market before large-scale abuses become possible.

    24. Re:What could possibly go wrong.... by Anonymous Coward · · Score: 0

      Part of it is cultural.
      Just a few decades ago, it was accepted (even routine?) for the local omawari-san (policeman) to check to make sure your doors are locked, and kindly let the residents know if they're not. I'm sure I can find an episode of Sazae-san with such dialog if I'd looked.

      This is just the same concept in the 21st century.

    25. Re:What could possibly go wrong.... by Opportunist · · Score: 1

      You have seen the DDoSes from 1-2 years ago amplified by crappy IoT devices?

      Do you know why they stopped?

      Human lives are one thing, but threaten businesses and you'll see laws change!

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Crap title. by andydread · · Score: 4, Informative

    This does not involve any "hacking" into anything. It simply unauthorized access by attempting default passwords, not hacking. Please fix the title. Thanks.

    1. Re:Crap title. by Anonymous Coward · · Score: 0

      Relevant SMBC

      http://www.smbc-comics.com/?id=2526

    2. Re:Crap title. by Anonymous Coward · · Score: 0

      This does not involve any "hacking" into anything. It simply unauthorized access by attempting default passwords, not hacking. Please fix the title. Thanks.

      Well, it meets the definition most of us have used for hacking for 30+ years, and it meets the legal definition that will get you arrested and charged.

      By the time you're using password dictionaries, you are fully into what most people call hacking.

      Try this at your employer, see how long they remain your employer.

    3. Re:Crap title. by Anonymous Coward · · Score: 0

      It's also CRIMINAL.
      Example: If YOU do that to others, YOU will go to PRISON for a VERY long time.

      Also, for the only real way to solve these problems of
      Government doing whatever the fuck it wants to you...
      Search Youtube: Larken Rose

    4. Re:Crap title. by Anonymous Coward · · Score: 0

      Pretty sure Slashdot is WORM. or perhaps a CD-RW. Have to erase the whole thing and start from scratch.

    5. Re:Crap title. by DontBeAMoran · · Score: 1

      This is not "attempting to login with password dictionaries", this is "attempting to login with the default manufacturer passwords".

      The goal here is to test which devices still have those insecure passwords, not "try to login at any cost using password dictionaries".

      --
      #DeleteFacebook
    6. Re:Crap title. by Anonymous Coward · · Score: 0

      Indeed

    7. Re:Crap title. by MAXOMENOS · · Score: 2

      > It's also CRIMINAL

      Ah, well that's just it, isn't it? It's not criminal activity if the Diet says it's legal.

      --
      Finding God in a Dog
    8. Re:Crap title. by Anonymous Coward · · Score: 0

      A dictionary containing exactly one password is still a dictionary.

  5. Good by Anonymous Coward · · Score: 2, Interesting

    This needs to be done to protect the dumbasses from themselves. Once they start to get educated about security then their digital footprint becomes a little safer but wy stop there, go to the manufactures of these devices and threaten traded sanctions if the manufactures do not do a better job at securing these things.

    1. Re:Good by Anonymous Coward · · Score: 0

      Better yet, just make laws requiring xyz security implementations, VALIDATE the implementations, and THEN allow them to be sold in our markets - not before. Of course we're just dreaming of Utopia, they never do this.

    2. Re:Good by Opportunist · · Score: 1

      Or just make bricking insecure IoT crap legal. I'm fairly sure you'll find a lot of people doing just that for shits and giggles.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. Deep thoughts, by Jack Handy? by Anonymous Coward · · Score: 1

    "But hack devices deployed out there by a large and diverse group of people? Pure insanity." - Hacking devices with little-to-no security to inoculate them from botnets is pure insanity? Pray tell what do you find sane about the internet?

    Is it not pure insanity to put null-security hardcoded credential IP devices on the internet GENERALLY? Why would preparing to mitigate their ongoing chronic and future abuse be the insanity here?

    1. Re:Deep thoughts, by Jack Handy? by gweihir · · Score: 1

      Where in the story do you find anything about "inoculating"? This is a survey and they will leave the devices widely open, possibly more open than before. The "securing" is left to the owners (who usually cannot do it) and these will be notified months later, if at all.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:Deep thoughts, by Jack Handy? by Anonymous Coward · · Score: 1

      Where in the story do you find anything about "possibly more open than before"? The survey is part of the effort to identify devices that need securing, a first step towards that goal obviously. Do you not get that?

    3. Re:Deep thoughts, by Jack Handy? by gweihir · · Score: 1

      Where in the story do you find anything about "possibly more open than before"?

      That is expert knowledge about how "hacking" works. You obviously have none of that.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    4. Re:Deep thoughts, by Jack Handy? by Anonymous Coward · · Score: 0

      No, you're full of shit. Nothing about this leaves the devices more open than they are now, further in many cases that's not even possible. You know nothing about this problem. Go hack a clue into your skull, read something.

      IOT devices with hard-coded default credentials are not less secure because you find them and test those well-known ubiquitous hard coded credentials, moron. That's absolutely horseshit. Go fuck yourself for lying.

      And as someone who tried to pretend something was only relevant if presented in the text of the article, you're doubly retarded. Remember, up and down, not back and forth. Fuck yourself properly, lying moron.

    5. Re:Deep thoughts, by Jack Handy? by gweihir · · Score: 1

      You seem to never have heard about things like UPnP, for example and firewalls with states. A device could well be set up to be open to accesses from Japan, but after such an access remains open to the rest of the world for a time. This is a very simplified scenario, of course, but I am sure even that already flies right over your head.

      This /. story from yestersay may be relevant for you though: https://science.slashdot.org/s...

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    6. Re:Deep thoughts, by Jack Handy? by AHuxley · · Score: 2

      Then the company will be told by the gov that their "things like UPnP" is wide open.
      The company can then change its policy and secure its network.
      Change its passwords.
      Upgrade.
      That warning by the gov will have to be acted upon.
      The gov will give time and advice to work on "things like UPnP" settings?
      Should that "things like UPnP" be found to be part of any computer network intrusion?

      The gov can then come back an ask why the "things like UPnP" was still left open to the world?
      The company can then list their reasons why the "things like UPnP" policy was left in place.
      Should it be a good reason then the gov will accept that.
      The company was given the gov results about the "things like UPnP", advice and time to consider its network.
      Was the reason not good then further questions get asked about all gov policy/tax/banking the company might be missing.
      Not acting on "things like UPnP" when requested by the gov could risk lot more investigation and questions later.

      --
      Domestic spying is now "Benign Information Gathering"
    7. Re:Deep thoughts, by Jack Handy? by gweihir · · Score: 1

      That will not be happening, unless the Japan government starts to do systematic pen-tests against all their domestic devices and networks. While that would be indeed a good thing, it is infeasible today because the effort is just too large.

      No. The only way to get rid of the IoT mess is manufacturer and vendor liability and that one has to be done internationally. In effect, sales of this insecure crap must be banned, stock must be seized and marketplaces like eBay and Amazon must be made liable if they continue to sell them after they have been found insecure. Product evaluation likely will have to be done after the fact (i.e. the thing is already being sold) and with taxpayer money, but that is a small price to pay.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    8. Re:Deep thoughts, by Jack Handy? by Anonymous Coward · · Score: 0

      >a factorycreds device could become vulnerable
      tinyviolin.wav

    9. Re:Deep thoughts, by Jack Handy? by AHuxley · · Score: 1

      Re " infeasible today because the effort is just too large."
      Bot nets made by non gov groups do it everyday all over different nations networks using a default list of passwords to quickly scan all networks they find.

      Re "mess is manufacturer and vendor liability"
      Too late. Too much is already sold, in use and can be connected to using default password lists.

      Detection and a request to change at least gets the gov a list of networks that got changed.
      A list of networks that did not do what the gov told them when asked.

      --
      Domestic spying is now "Benign Information Gathering"
  7. I wish the NSA did this by MobyDisk · · Score: 1

    I would like the NSA to partner with corporations to secure these devices. It would be great if they started educating the public about exploits and helping manufacturers to close holes. Even foreign manufacturers. It is in the best interest of national security for the US not to have another major internet outage caused by insecure IoT devices.

    We also need oversight in this area. Capitalism only works if the consumers know what they are buying. But people don't know. Similar to how we don't sell food without an ingredients list, we shouldn't sell network devices without an open ports list, and a list of hard-coded credentials, etc. Just the mere act of requiring a label will curb idiotic practices. It forces manufacturers to think about it, and it induces liability if they fail to do so.

    1. Re:I wish the NSA did this by DontBeAMoran · · Score: 1

      If the NSA partners with a manufacturer, I'm banning it from my purchasing list.
      Working with the NSA equals mandated government backdoor.

      --
      #DeleteFacebook
    2. Re:I wish the NSA did this by jonwil · · Score: 1

      We will never have a truly secure internet so long as western governments (and their agencies) continue to prioritize both mass surveillance and targeted cracking of devices and protocols over actual security.

      Unless we can get the 5-eyes intelligence agencies to give up their wholesale data collection and spying and their attempts to get back doors, the forces pushing for insecurity will outweigh the forces pushing for security.

      And I have no doubt that the Japanese intelligence agencies are just as focused on insecurity and data collection as the rest of them...

    3. Re:I wish the NSA did this by AHuxley · · Score: 1

      The NSA has all the keys to junk crypto products sold and that are approved for export.
      PRISM shows when and how the US gov gets its collect it all access.

      --
      Domestic spying is now "Benign Information Gathering"
  8. Actually a good idea. by Anonymous Coward · · Score: 0

    This is a good thing, *if* their gov't then increases their citizens awareness on device security

    (And device manufacturers PULL THEIR F*CKING FINGER OUT with regards to proper device security).

    Any manufacturer that doesn't implement decent security and secure by DEFAULT configurations should get a weekly fine, per product.

  9. Hacking?? by RJFerret · · Score: 1

    Just as someone providing the key to their house or car doesn't make it stealing if either is opened, logging into something isn't hacking!

    Or to put it another way, when I log into my email, I'm not hacking into my email.

    Either that, or if we're going to use "hack" for standard logging in, then we need a word for when you use subversive means to get around not having a password to achieve access that was meant to be prohibited.

    1. Re:Hacking?? by Anonymous Coward · · Score: 0

      Wouldn't a better metaphor be buying a door that comes preinstalled with a default lock and key, then the Japanese government goes around and checks every door with the default key, leaving a sticky note on your door if they got in, and definitely /definitely/ not snooping around at all.

  10. Bad password but still hacking by sjbe · · Score: 1

    This does not involve any "hacking" into anything. It simply unauthorized access by attempting default passwords, not hacking. Please fix the title. Thanks.

    Exactly how does the fact that the password is easy to guess change the activity that is being performed in any way? It's hacking. The fact that it is hacking a second grader could do doesn't change that fact.

    (and please spare us the standard geek indignation about the word hacking not meaning whatever positive thing you want it to mean)

    1. Re:Bad password but still hacking by Monster_user · · Score: 3, Informative

      Hacking is using exploits or otherwise bypassing the security mechanisms, typically to gain unauthorized access. Hacking can also be used to gain authorized access.

      This isn't hacking, this is logging in, and unauthorized access.

      Is it "breaking an entering" if you leave your front door open?

    2. Re:Bad password but still hacking by Anonymous Coward · · Score: 0

      Yes. Breaking and entering is defined as the crime of illegally entering a residence or other enclosed property using any amount of force (even pushing open an unlocked door)

    3. Re:Bad password but still hacking by Anonymous Coward · · Score: 0

      Just because the law puts "breaking and entering" in the same lot doesn't mean that forcing a lock open is the same as entering a house with an open door.

    4. Re:Bad password but still hacking by Anonymous Coward · · Score: 0

      The analogy would be using a large ring of common keys to unlock doors and then entering. Whether you consider it hacking or not, it's sufficient that a password behaves like a lock and was a major means of differentiating authorized vs unauthorized access for a reason: otherwise people could argue figurative open doors was unauthorized access instead of being some sort of invitation to come inside. I would almost appreciate this if I trusted the Japanese government (or any government) to be white hating and doing this precisely to help inform people about insecure devices. Instead, as others point out it likely quickly turns into something the NSA would do. I guess on the bright side Japan is a bit more transparent about their mass surveillance.

    5. Re:Bad password but still hacking by Anonymous Coward · · Score: 0

      No. It's BREAKING and entering only if you open a locked door (by lockpicking, breaking the lock, breaking a window etc). If the door is open it's only illegally entering.

    6. Re:Bad password but still hacking by Anonymous Coward · · Score: 0

      *entering a private property

      This detail gets confused every time the analogy comes up. An unlocked door on public property is free game, even if you "meant" for it to be locked in your imaginary thinkspace. If you broadcast employee-phones.xls openly 1) the computer will obey and broadcast 2) people will accept your offer

      Note: IOT is a different conversation, less likely to perform zero-restriction broadcast.

  11. Government employees... by forkfail · · Score: 1

    ... with warrant to go look through people's baby monitor cameras.

    What could possibly go wrong?

    --
    Check your premises.
    1. Re:Government employees... by Opportunist · · Score: 1

      You do know that the difference to now is that "warrant" part, yes?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Government employees... by Anonymous Coward · · Score: 0

      ^^ found the unsecured Trumptard.

  12. It's 2019... by Anonymous Coward · · Score: 0

    We've been talking about insecure default passwords on consumer devices for at least the better pat of two decades, there is no longer any excuses.

    Manufacturers should be held criminally liable for producing insecure devices in the first place.

    These IoT devices should require a secure non-default password be set as part of the setup process and not function until this step is done.

    1. Re:It's 2019... by DontBeAMoran · · Score: 1

      Forget "IoT devices"... there should be laws in every country to make anything with a "default password" illegal.

      Hell, combination lock manufacturers can make them random. Why are software-based devices not doing it?

      --
      #DeleteFacebook
    2. Re:It's 2019... by Anonymous Coward · · Score: 0

      Well to be fair, I quoted the article and said IoT, but I was specifically thinking about routers, modems, NAS drives, camera systems, etc.

      And I don't want them to criminally liable if the consumer sets a weak password, just if their devices work out of the box with a default password that can be found on a search engine with minimal effort.

  13. End users (mostly) cannot be trusted by sjbe · · Score: 1

    The "securing" is left to the owners (who usually cannot do it) and these will be notified months later, if at all.

    That would be an idiotic idea. The proper way to handle this is to threaten device makers with gigantic penalties if their products are found to be insecure by default (measured against current good practice for duty of care) and/or not maintained/updated on a reasonable schedule to remain secure. There are FAR too many technologically impaired end users to expect them to adjust the default settings to be something reasonably secure or to update the devices regularly. If this makes the devices cost more then so be it.

    It's probably ok in some cases to let advanced users tweak security settings but doing so should require special action on their part and probably a liability waiver (safe harbor) to the manufacturer of the device.

    1. Re:End users (mostly) cannot be trusted by gweihir · · Score: 1

      That would be an idiotic idea.

      Read the original article. That is essentially what they are planning to do and that is (one of) the reasons why I think the whole thing is a really bad idea.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  14. The US needs this by CaptainDork · · Score: 1

    It's a commonsense approach to a serious problem. Hell, America could use citizen sleuths and crowdsource the effort.

    Then, each sorry device could be reported to the owner aggregated and vendor's reps could be yelped.

    I think it's a great idea.

    --
    It little behooves the best of us to comment on the rest of us.
    1. Re:The US needs this by gweihir · · Score: 2

      No, it is an utter fail that ignores technological reality. First, most vulnerable devices will not be visible, because they have already been hacked and the vulnerability will have been closed (but the attacking bot-net owns the device). So they will not find the devices they need to find. And second, relying on ISPs and users to fix this will not accomplish anything.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:The US needs this by CaptainDork · · Score: 1

      And second, relying on ISPs and users to fix this will not accomplish anything.

      What historical works support your statement?

      --
      It little behooves the best of us to comment on the rest of us.
    3. Re:The US needs this by AHuxley · · Score: 1

      The NSA could not then track all the US mil/gov workers and see who is searching for what in real time if real strong network security existed.
      The FBI could not then enter a network and collect on a "spy" that was searching and moving data around if their deep network use was detected.
      The USA is kept in a state of plain text, junk crypto, keys shared with the US gov for very good security reasons.
      The NSA, US mil and FBI have to be able to track their workers and contractors work network and home "internet" use 24/7.
      Who is searching for journalists to contact.
      Who printed what document and gave it to a journalist.
      Default passwords all over the US gov/mil make tracking US workers "spying" efforts an achievable task by a small group of trusted US mil/gov security teams.

      The commonsense approach is to keep US networks open and crypto junk in place so all the generations of spies don't get to hide their "search" terms.

      --
      Domestic spying is now "Benign Information Gathering"
    4. Re:The US needs this by AHuxley · · Score: 1

      Default password lists exist.
      Japan as a gov can detect such networked systems and ask any company to make a change.
      Getting a letter from the gov of Japan and showing the change was made will accomplish something.
      The company has two options once it gets told its networks need to be changed.
      By doing the needed work and telling the gov it did the needed work.
      By ignoring the gov letter and keeping its network as it was. Then telling the gov officially it did the needed "work"... Work it never did.
      The company can never later say they did not know.
      That the use default passwords was policy and the company did not know.
      Code litter and later skilled code review will find out and a company that changed its passwords from default will be ok.
      A company that was found to have not changed its passwords when asked and told the gov it was in full compliance will face further questions.

      --
      Domestic spying is now "Benign Information Gathering"
    5. Re:The US needs this by gweihir · · Score: 1

      Read up on them. I am not doing your homework.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    6. Re:The US needs this by CaptainDork · · Score: 1

      What part of IoT did you miss?

      --
      It little behooves the best of us to comment on the rest of us.
    7. Re:The US needs this by AHuxley · · Score: 1

      If the US starts fixing the IoT and getting good results with its improved IoT security then people in the US gov will want to fix their own wide open gov network too.
      That will make extra work for the FBI and NSA doing their testing and investigations of spies in the USA.
      Default passwords that work without a trace and much effort allow for easy detection of spies by a few trusted teams of US investigators.
      Secure the IoT and all other consumer networks the CIA, NSA, FBI cant get easy access to a worker/contractors network at home, after work.
      The results of improved IoT security in the US will open the door to calls for all other US networks to get more security all over the USA.
      Nobody wants strong passwords on any network to stop an open investigation.
      Not staring on IoT, home networks, at work.

      What happens when all US networks dont have default passwords?
      The US gov/mil will be back having to find a work around for every real password for every network it encounters.
      Attempts by gov like that risk detection every time.

      --
      Domestic spying is now "Benign Information Gathering"
  15. While I generally agree with you... by Anonymous Coward · · Score: 0

    And Shinzo Abe falls on the authoritarian side.

    I think in the case of the culturally Japanese establishment, this will be an overall good thing. The majority of Japanese value personal privacy and culturally have it installed not to trouble others. Given that these devices can already be accessed by anyone who finds them online, having the government perform the due diligence some of these owners were unable or unwilling to grasp seems like an excellent way to plug the problems until the next hardware upgrade treadmill, and maybe even educate enough of the populace on the dangers of it to help educate the rest so it doesn't happen again.

    1. Re:While I generally agree with you... by Guybrush_T · · Score: 1

      Absolutely. If that public service is able to access it, so does the rest of the world. In fact, it should be incumbent to ISPs to make sure those devices cannot be easily turned into botnets. ISPs should scan for classical login/password and if found, set the firewall to block the device, send an email to the customer and let the customer remove the firewall rule when ready.

      This should be one the basic services from an ISP.

      And no this is not hacking, maybe not even unauthorized access. To give an analogy, it's like trying to open the door and if we find that the door opens, we build a wall of bricks in front of it to secure it.

  16. Completely worthless stunt by gweihir · · Score: 1

    Since a lot of people here do not get it, I will post it again:
    1. The devices vulnerable to this will already be part of a bot-net and the vulnerability will have been closed by the bot-net. Hence they will not even find most problematic devices.
    2. They plan to let the ISPs and users fix this. This will accomplish absolutely nothing.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Completely worthless stunt by DontBeAMoran · · Score: 1

      By "vulnerability", you mean the default password? Because from what I understood, this is what they're going to check.

      Wouldn't users notice they can't log in their own devices anymore?

      --
      #DeleteFacebook
    2. Re:Completely worthless stunt by gweihir · · Score: 1

      Since bot-nets compete for targets, the few users that notice they cannot log in anymore will be an acceptable loss. The bot-net must defend what it has successfully integrated in order to work. Also, a bot-net must make sure it does not compromise devices multiple times (or it becomes so inefficient as to become ineffective, this has been observed in the past) and the best way to do that is to close the attack vector. Keeping state (list of members) does not work for that purpose in large bot-nets, synchronization would take too long among other problems. In addition, many IoT devices are set-up so that the web-interface / app-interface uses a different password than the telnet access and most users will use the web-interface.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:Completely worthless stunt by AHuxley · · Score: 1

      Japan would be not as productive for bot-nets that expect a simple default list of expected passwords to get started.
      The "bot-nets" would have to be more complex to then try all random stronger passwords and risk getting detected per attempt in Japan.
      Move to another nation that has no such policy and many more of its networks are on default passwords.

      --
      Domestic spying is now "Benign Information Gathering"
  17. Shame manufacturers into making secure products... by Picodon · · Score: 1

    I don’t know how successful that operation can be at getting consumers to fix their own setup (still, it’s worth trying), but it may well succeed in publicly shaming manufacturers of shoddy insecure designs (including lame default settings) and pressuring them to make better products. Even if consumers turn out to be too passive (or have too little knowledge) to fix the configuration of their own equipment, at least Japanese public opinion is sure to react to public announcements that XYZ product has caused this many millions of consumers to needlessly be exposed to hackers. So I see it as a smart move, and I applaud the fact that it was initiated through legislation.

  18. Yay hacking! by Anonymous Coward · · Score: 0

    And hackers! And hacks! And more hacking! And more buzzwords! IoT! Cyber! State actors! APT and all that! Whee!

  19. A state tampering IT with good intentions? by ffkom · · Score: 1

    If this story is true, then (regardless of its actual usefulness for the purpose) it would be a new, unique kind of event. So far, whenever we heard state agencies tampering with IT, it was for the worst of intentions, insecuring devices by planting back-doors into them.

    I'm afraid that even if the Japanese approach was actually true to its intentions, the next state announcing something like this will only do so as a cover-up for the next round of surveillance intrusion.

    1. Re:A state tampering IT with good intentions? by AHuxley · · Score: 1

      It will keep out the attempts that always expected default passwords on internet facing systems.
      What the NSA, CGHQ will do to Japan will not change.

      --
      Domestic spying is now "Benign Information Gathering"
  20. Arguably ... by Anonymous Coward · · Score: 0

    Arguably leaving the device open through default passwords could be considered to be granting authorisation.

    How is it different from somebody putting art in a public places likes parks or open a street stall.