New Japanese Law Lets Government Hack IOT Devices, Warn Owners They're Vulnerable
from the internet-of-broken-things dept
By now we've established pretty clearly that the well-hyped "internet of things" sector couldn't actually care less about security or privacy. Companies are in such a rush to cash in on our collective thirst for internet connected tea kettles and not-so-smart televisions, they don't much care if your new gadget was easily hacked or integrated into a DDoS botnet. And by the time security and privacy flaws have been discovered, companies and consumers alike are off to hyperventilate about the next must-have gadget, leaving untold millions of devices in the wild as new potential points of entry into home and business networks.
While most countries hem and haw without doing much of anything about the problem, Japan's government this week proposed a unique legislative solution. A new Japanese law (pdf) passed this week authorizes the Japanese government to actually hack into poorly-secured internet of things devices as part of the country's attempt to conduct a survey measuring the real scale of the problem:
"The survey will be carried out by employees of the National Institute of Information and Communications Technology (NICT) under the supervision of the Ministry of Internal Affairs and Communications. NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers' IoT devices.
Devices shipped with default username and passwords that users are too lazy (or technically incompetent) to change continue to be a huge problem in IOT devices and routers alike. Once the Japanese government has confirmed the vulnerability, it intends to send notices to impacted users in a bid to try and scare them into actually securing the devices. A Ministry of Internal Affairs and Communications report (pdf) was quick to note that attacks targeting poorly-secured IOT devices comprised two-thirds of all cyberattacks in 2016.
Obviously letting the government hack into consumer and business devices isn't being welcomed warmly in Japan, where many understandably don't trust government with such a task. But it's worth noting these kinds of "solutions" are only emerging in the wake of years of apathy contributing to a global crisis. A crisis many experts say will, inevitably, result in potential mass casualties as essential infrastructure becomes increasingly vulnerable. Collectively we've largely yawned at the problem since much of its impact is what security expert Bruce Schneier calls "invisible pollution:
"The market can't fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don't care. Their devices were cheap to buy, they still work, and they don't know any of the victims of the attacks. The sellers of those devices don't care: They're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."
While other solutions for this problem are being explored (like mandating the inclusion of privacy and security issues in product reviews), they've been few and far between in actually materializing, since giving a damn will actually cost money. Experts like Schneier have long argued that given this market and consumer failure, government needs to play some role in coordinating some rules of the road for flimsy IOT security. Perhaps letting government itself hack into your poorly secured Barbie is a bridge too far (who'd follow up to confirm government didn't abuse the privilege?). But if that's the case, what's the solution?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: hacking, iot, japan, nict, proactive hacking, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
Agree with Doctorow and Boing Boing
It should really be called IoS, not IoT.
Internet of Shit not Internet of Things.
[ link to this | view in chronology ]
Re: Agree with Doctorow and Boing Boing
Well you are over looking something "IoT" stands for "Internet Of shitty Things" (or "Internet Of Trash"). The 's' is silently dropped because it isn't as aesthetically pleasing (which is like all 4% of the concern of most people regarding IoT... the other 95% of concern is fictional, and 1% undecided).
[ link to this | view in chronology ]
Re: Re: Agree with Doctorow and Boing Boing
Better naming idea: The Network of Personal Electronics. After all, once people learn about all this bullshit being done with their Echos and whatnot, the typical reaction is NOPE.
[ link to this | view in chronology ]
Re: Re: Agree with Doctorow and Boing Boing
It is more sensible to call things what they are up front. IoS - Internet of Shit. Not called that generally due to media being averse to saying 'shit'. DRM - Digital Restrictions Management not 'rights' management as it has nothing to do with the purchasers rights. The list, especially in tech, is near endless.
[ link to this | view in chronology ]
yet again the govt can do something that anyone/everyone else would get locked up for! strange how the world is still being taken over, without any bullets or bombs being used, but achieving the same thing! putting these various countries under the rule of the rich and powerful while ensuring it's illegal to make ordinary people aware of what these fuckers are up to! ie, basically, a world of slavery, run by those of the same mindset as the ones who used weapons 70+ years ago!
[ link to this | view in chronology ]
Re:
Given the rest of our stuff the government believes it can hack at will with no accountability, this is actually kind if refreshing. Government admitting it is going to hack pretty much whatever they want.
And maybe if consumers care enough about the government snooping on them, they'll stop buying these devices or insist on privacy and security features.
[ link to this | view in chronology ]
Re:
The actual government scanning doesn't even need to happen. They just need to say they're going to scan on a certain date; then scans from official-looking hostnames will happen and we'll find that all of the default passwords will have been changed.
[ link to this | view in chronology ]
Re:
Arguably, there are some things that government should be doing that its citizens should not have to do. For example, feeding the poor and destitute. Oh - also maintaining an army for self defense ... but not imperialistic war mongering.
[ link to this | view in chronology ]
Re:
Personally, there are certain activities that I believe individuals and corporations should be barred from pursuing that I think the government under full transparency should be allowed to do. This ensures that some level of protocol is followed and there is accountability in place.
For me, this falls nicely into that category. After all, the government can already do what they're proposing without notifying anyone and get away with it. So the fact that they're making a formal program out of it means that things will be better managed, not worse.
But yeah, one thing that has to be stopped is government programs with no transparency or accountability. Especially with network scans, the government should be required to publish the full reports of their activities. That way, if anyone fails to secure their network after the notification, the entire world will know.
[ link to this | view in chronology ]
Re:
This. Another example is that if you tried to structure a pension plan the way the US government currently operates social security, you'd get the cell next to Bernie Madoff for running a Ponzi scheme.
[ link to this | view in chronology ]
The New Japanese Law
Does the new law let the government hack IoT devices, and then not warn owners they're vulnerable.
Because here in the states, that's what would happen.
[ link to this | view in chronology ]
Re: The New Japanese Law
You mean in the US, that's what already happens. All records get shrouded by the security clause and you have to know what to ask for and file a lawsuit to get any of the information.
[ link to this | view in chronology ]
Hacking IoT vs Hackbacks?
I wonder what will happen if someone, somewhere, gets their device hacked this way at a government facility, or who occupies an important official post. Perhaps in France, or a French ambassador to Japan.
Will France hack the Japanese government right back?
[ link to this | view in chronology ]
"Once the Japanese government has confirmed the vulnerability, it intends to send notices to impacted users in a bid to try and scare them into actually securing the devices."
Hopefully using a secured connection, since most IoT communications are not secured, hence they're vulnerability with a password change.
[ link to this | view in chronology ]
In Soviet Russia...wait, no...In Buddist Japan, government hacks you!
[ link to this | view in chronology ]
Sounds like the Japanese just wrote themselves a law to hack foreign computers.
[ link to this | view in chronology ]