Japan law will allow government to hack civilian IoT devices

Justification lies in concerns around the security of the infrastructure for next year's Olympic Games

Tokyo street

Japan approved a new amendment to a law on Friday which would allow government workers to hack civilians' personal technology as part of a vast survey of the country's insecure IoT devices.

The survey is being initiated as part of a plan to prevent a major cyber attack from crippling the infrastructure that will support the Tokyo Olympic Games in 2020, stemming from insecure IoT devices.

The concerns aren't without merit, sporting events are fast-becoming prime targets for cyber attacks. In February 2018, Pyeongchang's Winter Olympics was hit by a cyber attack during the opening ceremony.

The Olympic Destroyer malware was deployed by Russian-linked threat actors in what is believed to be a response to the banning of Russian athletes caught doping before Rio 2016. Shortly before the ceremony, the event's website was downed which saw users unable to buy tickets or access information. Normal service was resumed 12 hours later.

The state-sponsored hacking initiative will begin next month with a trial of 200 million devices, just webcams and modems to start with. The survey will be carried out by employees of the National Institute of Information and Communications Technology (NICT) under the supervision of the Ministry of Internal Affairs and Communications.

The NCIT employees will be allowed to use default passwords and password dictionaries to break into devices. When they discover a particularly vulnerable device, a report will be sent to authorities and ISPs which will then prompt the device's owners to secure it.

"This is a very interesting response to the growing IoT cyber security problem, and it is about time a government stepped in with something other than a regulatory approach or voluntary standards scheme, said Ian Thornton-Trump, international head of security at AmTrust. "It is not without a North American precedent. Companies and law enforcement have used the US legal system to take down domains and systems that have been used in cyber-attacks of a criminal nature, including botnets. This is the first instance of applying that same philosophy proactively to IoT infrastructure.

"I can see how privacy advocates would see this as very intrusive; on the other hand, if your device is vulnerable or acting as part of a botnet and you don't have the resources to detect the activity, or even fix it -- who else is going to?

"Overall, the Japanese government action on IoT may bring to light just how serious a problem IoT is and I'm sure other countries will be very interested in the results of this program," he said.

The Ministry of Internal Affairs and Communications released a report which stated attacks aimed at IoT devices accounted for two-thirds of all cyber attacks in 2016.

There have long been calls for a ramp-up of security embedded in IoT devices and research from Gemalto states that just 48% of businesses have the necessary provisions to detect vulnerabilities in IoT infrastructure.

In fact, 79% of the 950 decision makers the company spoke to said they think the government should play a more involved part in combating IoT-related cybercrime, whether that involves creating a framework for firms to adhere to or making it clearer who is responsible for protecting IoT.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Biden nominees highlight tough cyber security challenges
cyber security

Biden nominees highlight tough cyber security challenges

20 Jan 2021
Report: Security staff excluded from app development
cyber security

Report: Security staff excluded from app development

20 Jan 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

20 Jan 2021
SolarWinds hackers hit Malwarebytes through Microsoft exploit
hacking

SolarWinds hackers hit Malwarebytes through Microsoft exploit

20 Jan 2021

Most Popular

Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021