Slashdot Mirror
Japanese Government Plans To Hack Into Citizens' IoT Devices (zdnet.com)
An anonymous reader writes: The Japanese government approved a law amendment on Friday that will allow government workers to hack into people's Internet of Things devices as part of an unprecedented survey of insecure IoT devices. The survey will be carried out by employees of the National Institute of Information and Communications Technology (NICT) under the supervision of the Ministry of Internal Affairs and Communications.
NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers' IoT devices. The plan is to compile a list of insecure devices that use default and easy-to-guess passwords and pass it on to authorities and the relevant internet service providers, so they can take measures to alert consumers and secure the devices. The survey is scheduled to kick off next month, when authorities plan to test the password security of over 200 million IoT devices, beginning with routers and web cameras. Devices in people's homes and on enterprise networks will be tested alike
NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers' IoT devices. The plan is to compile a list of insecure devices that use default and easy-to-guess passwords and pass it on to authorities and the relevant internet service providers, so they can take measures to alert consumers and secure the devices. The survey is scheduled to kick off next month, when authorities plan to test the password security of over 200 million IoT devices, beginning with routers and web cameras. Devices in people's homes and on enterprise networks will be tested alike
I was wondering when the low lying fruit would be harvested. But why stop at surveying weak links in the net chain? Hack them right to dev/null, get them the fuck off the internet. That would be a solid security endeavor.
This does not involve any "hacking" into anything. It simply unauthorized access by attempting default passwords, not hacking. Please fix the title. Thanks.
If they don't do it, someone else will.
This needs to be done to protect the dumbasses from themselves. Once they start to get educated about security then their digital footprint becomes a little safer but wy stop there, go to the manufactures of these devices and threaten traded sanctions if the manufactures do not do a better job at securing these things.
Somebody else will do it even if they do. So you think adding one more attacker is sane?
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
"But hack devices deployed out there by a large and diverse group of people? Pure insanity." - Hacking devices with little-to-no security to inoculate them from botnets is pure insanity? Pray tell what do you find sane about the internet?
Is it not pure insanity to put null-security hardcoded credential IP devices on the internet GENERALLY? Why would preparing to mitigate their ongoing chronic and future abuse be the insanity here?
I would like the NSA to partner with corporations to secure these devices. It would be great if they started educating the public about exploits and helping manufacturers to close holes. Even foreign manufacturers. It is in the best interest of national security for the US not to have another major internet outage caused by insecure IoT devices.
We also need oversight in this area. Capitalism only works if the consumers know what they are buying. But people don't know. Similar to how we don't sell food without an ingredients list, we shouldn't sell network devices without an open ports list, and a list of hard-coded credentials, etc. Just the mere act of requiring a label will curb idiotic practices. It forces manufacturers to think about it, and it induces liability if they fail to do so.
This idea has traction because Japanese society is conformist in a way that makes home owners' associations look like anarchy. The government says they're going to do it, the press aren't going to really challenge them, and while there has been and will continue to be push-back from opposition parties and civil libertarians, Abe has the votes he needs to easily push this through.
Besides which, this idea of a massive public audit of IoT devices is not without merit. It would be another thing if the Abe administration were pushing for back doors in all IoT devices (which, as far as I can tell, they are not ).
Finding God in a Dog
Just as someone providing the key to their house or car doesn't make it stealing if either is opened, logging into something isn't hacking!
Or to put it another way, when I log into my email, I'm not hacking into my email.
Either that, or if we're going to use "hack" for standard logging in, then we need a word for when you use subversive means to get around not having a password to achieve access that was meant to be prohibited.
Yes. I've hacked various networks and then left messages for the admin to fix the vulnerability. Was me doing that worse for them?
As long as the Japanese government is honest about the aim of this project, then the end result will be a benefit for the people of Japan. Of course some transparency and third-party verification would be nice to keep them honest. But there's nothing inherently harmful about what they're doing.
This does not involve any "hacking" into anything. It simply unauthorized access by attempting default passwords, not hacking. Please fix the title. Thanks.
Exactly how does the fact that the password is easy to guess change the activity that is being performed in any way? It's hacking. The fact that it is hacking a second grader could do doesn't change that fact.
(and please spare us the standard geek indignation about the word hacking not meaning whatever positive thing you want it to mean)
I agree on the politics.
But this is not an audit. This is a "survey" by scanning and hacking attempt. A pretty bad idea overall. What useful data is supposed to come out of this? IoT devices already hacked (and most vulnerable ones will be) have their vulnerabilities closed to they cannot be taken away from the successful attacker. Hence they do not show up on this "survey". The ones that show up will be the ones that have withstood attack so far and the ones that have been online for only a very short time.
The whole thing is useless and potentially dangerous as it will provide deeply flawed data.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
... with warrant to go look through people's baby monitor cameras.
What could possibly go wrong?
Check your premises.
If you brick it after hacking it, you at least remove it from the pool of potential DDoS drones.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The "securing" is left to the owners (who usually cannot do it) and these will be notified months later, if at all.
That would be an idiotic idea. The proper way to handle this is to threaten device makers with gigantic penalties if their products are found to be insecure by default (measured against current good practice for duty of care) and/or not maintained/updated on a reasonable schedule to remain secure. There are FAR too many technologically impaired end users to expect them to adjust the default settings to be something reasonably secure or to update the devices regularly. If this makes the devices cost more then so be it.
It's probably ok in some cases to let advanced users tweak security settings but doing so should require special action on their part and probably a liability waiver (safe harbor) to the manufacturer of the device.
It's a commonsense approach to a serious problem. Hell, America could use citizen sleuths and crowdsource the effort.
Then, each sorry device could be reported to the owner aggregated and vendor's reps could be yelped.
I think it's a great idea.
It little behooves the best of us to comment on the rest of us.
You seem to have understood absolutely nothing. But what can you expect from an AC?
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Well, if you are not flat-out lying, I hope there is some nice prison-time in your future. You are part of the problem.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Now, _that_ would be an idea. But this idea is also incompatible with modern ideas of right and wrong and generally is considered a criminal act as you are destroying property that is not yours without permission. We do have some exceptions for emergency conditions, like a fire marshal being allowed to order the evacuation or demolition of a building if it represents a direct danger to human life. In the IoT-field we do not have such laws and human life is not threatened (at least not yet).
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Since a lot of people here do not get it, I will post it again:
1. The devices vulnerable to this will already be part of a bot-net and the vulnerability will have been closed by the bot-net. Hence they will not even find most problematic devices.
2. They plan to let the ISPs and users fix this. This will accomplish absolutely nothing.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Forget "IoT devices"... there should be laws in every country to make anything with a "default password" illegal.
Hell, combination lock manufacturers can make them random. Why are software-based devices not doing it?
#DeleteFacebook
And you're the reason we can't have sensible laws.
What will they do if they find a vulnerable device? They could trace the IP address back to an ISP and ask them to contact the customer I guess. But what if they find some device that is vulnerable to an attack being used in the wild, or even already infected?
Ethically shutting it down or patching it is acceptable, but legally?
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Absolutely. If that public service is able to access it, so does the rest of the world. In fact, it should be incumbent to ISPs to make sure those devices cannot be easily turned into botnets. ISPs should scan for classical login/password and if found, set the firewall to block the device, send an email to the customer and let the customer remove the firewall rule when ready.
This should be one the basic services from an ISP.
And no this is not hacking, maybe not even unauthorized access. To give an analogy, it's like trying to open the door and if we find that the door opens, we build a wall of bricks in front of it to secure it.
I don’t know how successful that operation can be at getting consumers to fix their own setup (still, it’s worth trying), but it may well succeed in publicly shaming manufacturers of shoddy insecure designs (including lame default settings) and pressuring them to make better products. Even if consumers turn out to be too passive (or have too little knowledge) to fix the configuration of their own equipment, at least Japanese public opinion is sure to react to public announcements that XYZ product has caused this many millions of consumers to needlessly be exposed to hackers. So I see it as a smart move, and I applaud the fact that it was initiated through legislation.
Legally, they're the Japanese government and I doubt there's much stopping them. Would be different in the states.
Even if they don't have the legal authority to patch it, they could almost certainly order the ISP to take that IP offline until the customer has been contacted and has patched the issue.
Because he was playing around seeing what he could do, found hackable network and informed the owners? Sure he could have held the network for ransom I'm sure that would be better for everyone.. people like you are what's wrong with the world. I now understand why you post the things you do. You feel you're better than everybody else.
Your analogy fails because every single one of us knows (or should know) that our houses are insecure. Lockpicking is shit simple - I do that for fun also - but even without picking locks anyone can get into your house by busting a window, or breaking down the door. Houses aren't meant to be secure, and very few people are interested in implementing the kind of security needed to make them secure. Whereas every admin I've ever met wants to do everything he can to make sure his systems are secure.
In any event, I'm OK with you thinking I'm creepy. That's a subjective valuation which means little to me. I'm not OK with the other fuckwit claiming I'm causing harm.
If this story is true, then (regardless of its actual usefulness for the purpose) it would be a new, unique kind of event. So far, whenever we heard state agencies tampering with IT, it was for the worst of intentions, insecuring devices by planting back-doors into them.
I'm afraid that even if the Japanese approach was actually true to its intentions, the next state announcing something like this will only do so as a cover-up for the next round of surveillance intrusion.
List of default passwords exist.
Gov sends out a reminder that a site has network connected equipment that has default passwords.
Gov tests many sites and sends out many reminders to change the passwords.
Password policy is slowly changed all over Japan as the gov is now testing networks.
The cooperation with the government makes Japan stronger and more effective.
Attempt by China and North Korea to enter Japan by a network will now need more CPU power per attempt.
Should an attempt to get into a network be proved to have been using a default password after getting a gov reminder to change the password?
That could change the way the gov views the computer crime. From getting hacked and having a strong password policy.
To having not taken the past gov advice and then left a network wide open.
Domestic spying is now "Benign Information Gathering"
Every network facing password in Japan could be inspected by the gov.
Any that respond to a default password get a request to upgrade, change the password.
The gov tests again. Who took the advice. Who did not.
When China and North Korea enter a computer network in Japan the review will then ask about the password policy.
Was anything left open as a default after the gov issued its results and asked for a password change?
Can the company show it followed best practice and had changed its passwords as it was asked to do?
A company that changed its passwords all be ok.
A company that failed to take the "advice" when requested by the gov?
That will open up further questions.
Domestic spying is now "Benign Information Gathering"
It will detect all the devices left on default.
A gov can do that via its networks that face all networks in Japan.
Most deices will then change from the easy lists of default passwords. People from China and North Korea expecting their lists of default passwords to grant access to many networks all over Japan will have to revert to other more complex methods to enter networks in Japan.
Such changes from a list of default network passwords might just get detected/blocked.
The easy days of using a list of default passwords is then over on average.
Domestic spying is now "Benign Information Gathering"
You have seen the DDoSes from 1-2 years ago amplified by crappy IoT devices?
Do you know why they stopped?
Human lives are one thing, but threaten businesses and you'll see laws change!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.