Japanese government will try to hack its citizens’ IOT devices
Starting next month, the Japanese government is going to try its hand at credential stuffing the country’s Internet of Things (IoT), including gizmos at both the enterprise network level down to citizens’ “oops, never changed the default password!” webcams and everything in between.
Credential stuffing is when attackers grab login credentials that have been breached, then e-wander around plugging them into other places, trying to find out where else those same credentials have been used. Because a lot of users have the bad habit of reusing the same passwords across several websites, the tactic is successful far too often.
According to NHK, Japan’s national public broadcasting organization, the government approved of the first-of-its-kind venture on Friday.
The plan: in mid-February, staff at the National Institute of Information and Communications Technology (NICT) will generate user IDs and passwords and use them to try to break into a randomly selected batch of about 200 million IoT devices, such as routers and webcams.
Then, the owners of the breached devices will be told to bolster their cybersecurity.
The aim is to shrink the surface area available to attackers in the run-up to the Tokyo Olympics and Paralympics in 2020. That’s not a bad idea: after all, some systems went down around the time of the opening ceremony for the Winter Olympics in Pyeongchang, South Korea, last year.
We never did hear exactly what happened with the Winter Olympics 2018 incident, though some US intelligence operators reportedly blamed Russia, which, they said, tried to make it look like North Korea did it.
While the goal is to clean up for the Olympics, the collateral will be, hopefully, far greater security in general. The NICT has reported that IoT devices are at the heart of a large number – 54% – of the cyber attacks it detected in 2017.
Little devices add up to brawny botnets
IoT devices might seem like small potatoes, computing-wise, but they can be corralled into swarms that can do a lot of damage.
The FBI believes that Russia was behind a giant-sized IoT botnet known as VPNFilter that sprung up in May 2018. The bureau believes that VPNFilter was created by the Russian Fancy Bear group, also known as Sofacy Group or apt28, among other names.
More recently, a Bay Area family was terrorized when their IoT Nest security camera got hijacked by an attacker who used it to broadcast a fake warning about three incoming intercontinental ballistic missiles (ICBM) launched from North Korea.
Unfortunately, just as it’s far too common for people to reuse passwords or fail to change their IoT devices’ default passwords, so too is it common, and easy as pie for researchers and creeps alike, to use a search engine like Shodan, which roams the web looking for the unsecured devices.
By wandering the internet to find vulnerable devices, the Japanese government isn’t doing anything particularly novel. It well might feel like Big Brother is prying into its citizens’ webcams or other IoT devices, because, well, it is. But it’s not doing anything that security researchers or ne’er-do-wells aren’t also doing.