Japan Intends to Preventively Hack Citizens' IoT Devices
According to NICT findings, IoT devices were abused in 54% of all cyber attacks it has detected in 2017. While we cannot independently confirm the findings, the figure appears realistic. While most users are aware that their computers or smartphones can fall victims to hackers and malware, few people extend such considerations to internet connected webcams, coffee makers or light bulbs.
This leads to two problems:
IoT devices are often very badly secured with default passwords (123456, password, pass1234, etc) and never updated. This makes it incredibly easy to break into them. In fact, it appears that NICT’s approach to breaching devices relies on trying very common username and password combinations.
When IoT devices are compromised, the compromise often goes unnoticed. Unlike computers or smartphones, a coffee maker or light bulb has no clear indicator to show that it is being controlled by attackers until it starts being abused (and sometimes not even then).
Combined with the always-online nature of IoT devices, this makes them ideal staging grounds for proxy servers that hide attacker identities, temporary data stores or agents in Distributed Denial of Service (DDoS) attacks. With several high level - likely state actor backed - attacks over the past years, the Japanese government appears worried that similar attacks will take place during the 2020 Olympics.
Therefore the country-wide scan can be seen as a preventive matter.
What are the counter-indicators?
There are two main issues with this plan.
The first one is that it is a case of a government actively hacking into devices owned by its residents. The current plan in itself doesn’t raise too many red flags, but it nonetheless lays the groundwork for further similar projects. As with any laws that weaken the protections of individual residents against the government, there is a risk that the scope of such attacks will gradually increase and potentially become problematic in the future.
The second issue is that Japanese citizens have a constitutional right to privacy. Since some IoT devices are equipped with microphones or cameras, the planned scan operates at best in a legal gray zone. While government officials have declared that no such devices or files will be accessed, there appear to be no clear legal boundaries covering the access, retention and deletion of data in place.
The Japanese government is proposing a rather dramatic step to improve the country’s cyber security. In the context of recent cyber attacks by state actors, the objective need for tighter security will likely outweigh any subjective fears of escalation in the short run. We expect the scan to be concluded. We also estimate the risk of a scandal concerning the abuse of gathered data to be relatively low at this point in time.
However, the seemingly rushed nature of the proposal and lack of clear guidelines and limitations is an oversight that may have very costly results 5-10 years down the line. Once legal and practical precedent is established, the current measures run the risk to be escalated into something much more dangerous by opportunistic lawmakers of the future.