Japanese Government to Hack into All Its Citizens Devices…Wait What?

Do you ever feel like the government is watching you through your smart devices? Well in Japan, they have the luxury of not having to worry about that; they KNOW their government is attempting to hack into their devices.  

The Japanese government approved of a law amendment in January that allows government workers to hack into citizens Internet of Things (IoT) devices as part of a survey on insecure devices in Japan. The only people who are required to give consent on the matter are the internet service providers, not the individuals.  

The survey is going to begin sometime this month and will be conducted by employees of the National Institute of Information and Communications Technology (NICT) who will be under surveillance from the Ministry of Internal Affairs and Communications. They will begin with testing routers and web cameras since those devices are the most easily hacked, but in all it’s expected the NICT will attempt to hack roughly 200 million IoT devices. They will use common passwords like “abcd” and “1234” as well as default passwords that come with the devices. It’s not uncommon to have the default password for your router show up on an online list for hackers to use. Private devices will be tested as well as public routers that provide free internet. 

The reasoning for this is to strengthen the overall cybersecurity of the country. After the survey is completed, a list will be compiled of all the devices that were easily hacked into with basic and default passwords. The owners of these devices will be informed and encouraged to change their passwords. Japan wants to improve their cybersecurity for the upcoming 2020 Tokyo Olympics, in fear of hacking attempts similar to the ones in the 2018 Olympics. The concern is understandable, considering that larger events are a major target for hackers and the hacking attempts that happened in PyeongChang. It’s also worth noting that two-thirds of cyberattacks in 2016 were aimed at IoT devices according to Ministry of Internal Affairs and Communications, who is watching over the NICT for this survey.  

However, there has been backlash for this plan from the Japanese community. There are obvious security and privacy concerns here, and there is no guarantee that those who are informed about their easily guessable passwords will change them anyway. It can be argued that a security alert would accomplish the same thing.  

Whether the Japanese government is doing the right thing or wrong thing isn’t up for me to decide. I don’t live in Japan, I don’t know nor claim to know the politics and laws of Japan. So regardless of personal beliefs on this matter, I am very interested in what their findings will be. If you were an upset civilian that didn’t want the government hacking into your device, why wouldn’t you just change the passwords on your devices to something stronger than what the government will check for? Then you don’t have the government (or anyone else) breaking into your stuff and the government gets what it wants because device security has increased. That’s a win-win!  

I hope the number of devices with poor passwords is low, but I have a feeling the percentage will be higher than expected. The most common passwords in 2018 were “123456” and “password” which most 12-year old’s would be able to guess eventually. This tactic the government is using is not so different than something used by IT managed services providers.  

There are a variety of different tools and steps that IT Managed Service Providers use to help harden network security and in turn minimize vulnerabilities to security breaches. There are basic steps that are in control of the IT provider such as regular updating passwords for routers/firewalls, switches, printers as well as any piece of network equipment that uses a password to access administrative functions. There are also company policies that can be put in place for end users to follow, these range from implementing password policies that enforce complex password that expire after a set period to implementing 2 factor authentication as a way to verify the person attempting to access the account is authorized.  

Unfortunately, this sometimes isn’t enough and often the weakest link in the chain securing sensitive information is the end user. Therefore, email security training and password training are critical to the security of any network. One of the ways in which this is accomplished by IT Providers is performing email phishing campaigns with the permission of their clients. These campaigns aid in identifying and providing training users who are more suspect to open a link or attachment on a suspicious email. So, like how citizens in Japan will be alerted that they were “breached” by the government because of their weak passwords, end users are informed they were “breached” by clicking on a fake phishing email. This is also called “virtual phishing” or vPhishing. 

Regardless of your view on Japan’s password testing it is a very interesting situation to watch. I look forward to seeing the findings when they are released in a few months time.