The Japanese government has authorised its technology ministry to test the security credentials of about 200 million IoT devices used by citizens in an attempt to raise awareness of weaknesses in IoT security and to find vulnerabilities ahead of the 2020 Olympic Games which will be hosted by Tokyo.
The massive state-sponsored ethical hacking campaign, which will be conducted by the National Institute of Information and Communications Technology from mid-February, will involve technicians attempting to break into about 200 million IoT devices, including routers and webcams, and obtaining login IDs and passwords associated with such devices.
Largest-ever government campaign to test IoT security risks
The campaign will be carried out under the supervision of Japan’s Ministry of Internal Affairs and Communications and its findings will form part of a survey carried out by the government to measure the state of IoT security in the country ahead of Tokyo Olympics.
However, any private data accessed by technicians while carrying out hacking attacks on IoT devices will not be released and those whose devices will be hacked will be informed of vulnerabilities in their devices and advised about safeguards they could implement.
Even though the campaign will involve the attempted hacking of millions of IoT devices, the samsple size is no more than a drop in the ocean as the number of connected devices in use in Japan was over 20 billion in 2017 and is expected to touch 75 billion by 2025.
This will be the Japanese government’s second such initiative in as many months to ensure the safety and security of citizens’ data and keeping them safe from malicious hackers and state-sponsored entities.
Last month, the government issued guidelines to central government ministries and Self-Defence Forces, directed them not to procure personal computers, servers and telecommunications equipment from certain vendors from April as malicious software embedded in such equipment could either leak data to outside servers or disrupt operations.
According to Nikkei, the Japanese government is also asking private organisations in 14 critical infrastructure sectors, including the Power Grid and railways, not to deploy equipment that could be vulnerable to information leaks or system shutdowns. The move could force a large number of Japanese firms into getting rid of equipment supplied by Huawei and ZTE in the coming days.
Move could prevent hackers from breaching citizens’ privacy
Commenting on the Japanese government’s move to test security credentials of millions of IoT devices presently in use in the country, Craig Young, computer security researcher for Tripwire’s VERT, said that this is a reasonable action by the government of Japan as unsecured Internet devices are an existential threat to the many aspects of the economy and public safety which rely on the public Internet.
“In addition to the privacy concerns related to what data or private networks are exposed by these insecure devices, Mirai and similar botnets have shown that IoT botnets can incredibly effective at large-scale DDoS attacks. The risk of wide-scale IoT compromise may also extend beyond the Internet in some circumstances.
“An attacker with control over enough smart outlets, thermostats, or appliances could likely disrupt critical public services like energy, water, and sewer services by creating sudden spikes in demand to overwhelm infrastructure. Does anyone really know what will happen if a couple hundred million lamps are turned on and off simultaneously across a nation? What about if an excessive number of thermostats are suddenly set to the extreme?” he said.
“In my opinion, the question about whether this is a government invading its civilian’s privacy is misguided. Without any action, these devices remain vulnerable and may be accessed by anyone with the will to find them. The question then is whether it is preferable to have someone from the government find and notify civilians about insecurity or to leave these systems for those with malicious intent to find,” he added.