Fri. Feb 22nd, 2019

Japan’s IoT Security Strategy

Japan plans to identity vulnerable internet devices by trying to log into them.

On Friday, the government approved a plan for a survey of the country’s vulnerable devices; the survey, due to start next month, will be carried out by the National Institute of Information and Communications Technology (NICT) research agency.

In November, Japan passed a law that allowed NICT to access IoT devices for five years, in which the survey will help reveal the country’s vulnerability to cyberattacks ahead of it hosting of the 2020 Summer Olympics.

Then NICT will be allowed to scan for IoT devices and then attempt to log into the devices using lists of default and common credentials. In addition, the survey will cover some 200 million IoT devices. In the event that vulnerable devices are found, the plan is to inform device owners.

IoT: A Soft Spot

IoT devices have become an increasing source of security problems, both for their potential to expose sensitive data and weak security configurations.

An high priority issue is that manufacturers for years have shipped devices with weak or default login credentials. This can eventually lead to a bigger problem if a device, such as a security camera, is directly exposed to the internet.

Attackers have been searching the internet for potentially weak devices, to make an attempt to log into them. Taking over a router could allow an attacker to snoop on traffic or change DNS settings, which can be a prelude to other data-stealing attacks.

Due to the low computing power of IoT devices, they’re very suitable for distributed denial-of-service attacks.

The Fix

Shodan is a search engine that can be used to identify potentially vulnerable IoT devices that face the internet and  allows for search queries based on certain parameters.

Once a device has been found, taking it to the next level – attempting to log into the device – is generally a criminal offense in most countries. That presumably is the case in Japan as well and the reason why the law had to be modified to make it legal for the survey .

The change in the law should make it easier to identify vulnerable devices. The larger problem is trying to resolve the vulnerabilities.

Adjusting the vulnerabilities that lead to large botnets has been perplexing. About a decade ago attackers commandeered large networks of desktop computers via browser and their operating system vulnerabilities.

Law enforcement agencies and private companies had success in shutting down the command-and-control servers for those botnets; however, it left the problem of cleaning up infected devices.

Furthermore, IoT manufacturers pledge to improve their security, including mandating that customers change default credentials. The only thing Japan will have to do is find the devices.