Starting today, Japan’s National Institute of Information and Communications Technology (NICT) will begin testing the security of Internet-connected devices that belong to citizens and businesses. Without notifying owners, the agency will use default credentials to try to log in to possibly millions of gadgets across the country as part of a nationwide cybersecurity experiment due to end in 2022.
The project will be conducted in cooperation with the country’s major Internet Service Providers (ISPs). The aim is to root out Internet of Things (IoT) devices with weak security. Then, ISPs will warn owners that their devices are vulnerable to cyber attacks.
The government recognized poor IoT security as a threat to national security in a paper on cybersecurity [PDF] published in 2015. And with the 2020 Summer Olympics to be held in Tokyo, the eyes of the world will soon focus on Japan, placing the country’s ability to hold a trouble-free Olympics under international scrutiny.
Consequently, the government has come up with the NICT IoT security-test project in an attempt to proactively address security concerns. The project is officially named the National Operation Towards IoT Clean Environment, or NOTICE, and was authorized by Japan’s Ministry of Internal Affairs and Communications.
Hiroyuki Sato, associate professor at the University of Tokyo’s Information Technology Center, says that while he understands the motivation for such testing, it is nevertheless being conducted without the public’s consent.
Sato points out that last year, the government had to revise an existing NICT regulation—the so-called NICT Law—in order to avoid the project conflicting with a general law prohibiting unauthorized computer access. “This indicates that this device testing still has several problems concerning civil rights,” he says. “I’m concerned this decision by the government is a hasty one.”
He also says the government could have done a better job explaining to the public and the business sector how the collected data will strengthen security, or whether the data will be used for other purposes.
“The explanation given so far is not sufficient,” says Sato. “Which is an all-too-common way of Japanese governing. A more detailed account is necessary.”
In an effort to reassure the public that NOTICE will not lead to the disclosure of private content, NICT issued a press release on 1 February explaining the “investigation is to check whether the password set in each IoT device is easily guessed (e.g. 123456, 00000000, etc.).”
The announcement says there will be no intrusion into devices or acquisition of “information other than that required for the investigation. As for information obtained by the investigation, strict control measures will be taken in accordance with NICT’s work implementation plan approved by the Minister for Internal Affairs and Communications.”
Sato does not doubt the ability of NICT to properly carry out NOTICE. He says NICT has experience in conducting IT tests and surveys. He also believes such testing is indispensable for ISPs to understand the status of their network security. However, he does question how effective the practical results will turn out to be. Ordinary people, he says, won’t know how to react when told their devices are vulnerable.
“Most people don’t know the account information of old devices and don’t know how to patch for any security failings,” he says. “So I expect effective results will be limited.”
A better approach, he believes, would have involved ISPs carrying out less drastic testing in advance of the NOTICE tests. This would have better prepared the nation for NICT’s intrusive program, he says.
Going forward, Sato expects the ISPs to update their firmware to help strengthen network security. And he thinks device manufacturers will be strongly advised by the government to take responsibility for security when releasing new models.
Meanwhile, the rest of the IT world will look on with keen interest to see how NOTICE proceeds and how users whose devices are targeted will react.