The Japanese Government has recently approved a law amendment to hack into Internet of Things connected devices, in an effort to facilitate greater awareness and understanding of cyber security and the threats they pose.

The unprecedented move comes following the results of a survey highlighting insecure IoT devices across the country.


Government-backed IoT hack

The pending survey will be carried out by the National Institute
of Information and Communications Technology (NICT), under the supervision of the Ministry of Internal Affairs and Communications. These teams will test the password security of over 200 million IoT devices across japan, beginning with routers and webcams across both home and enterprise networks.

Japan’s Ministry of Internal Affairs and Communications said that the hacking would target up to 200 million IoT devices, beginning on February 20.

NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers’ IoT devices.

This organised hack will not extend to personal smartphones or computers.

According to a Ministry of Internal Affairs and Communications report, attacks aimed at Internet of Things connected devices accounted for two-thirds of all cyber-attacks in 2016.

The plan is to compile a list of insecure devices that use popular, default and easy to hack passwords.

If successful, NICT employees will pass this information on to authorities and relevant internet service providers, so they can take measures to alert consumers who can secure their devices.

Citizens are also being advised that, if anyone thinks they may be vulnerable or subject to a hack, reprogram their devices and change their passwords in time.

The Japanese government embarked on this plan in preparation for the Tokyo 2020 Summer Olympics, to avoid the potential of hackers abusing IoT devices to launch attacks against the Games’ IT infrastructure.


Hacking & the Olympic Games

The Japanese Government are justified in their fears. Russian nation-state hackers deployed what they dubbed the ‘Olympic Destroyer’ malware before the opening ceremony of the PyeongChang Winter Olympics held in South Korea last year.

The attack was launched in response to the International Olympic Committee banning hundreds of Russian athletes from competing.

Russian nation-state hackers have also built a botnet of home routers and IoT devices – VPNFilter – that the Ukrainian intelligence services said was being planned to be used in order to hinder the broadcast of the 2018 UEFA Champions League final, to be held in Kiev in 2018.


Is hacking ever a good idea?

The Japanese Government’s decision to log into its citizens’ IoT devices has sparked outrage. Many have argued that this is a somewhat unnecessary step, as the same results could be achieved by sending a simple security alert to IoT connected users instead. A follow up argument also suggests that there is no guarantee that uses found to be using default or easy to guess passwords would even change their passwords upon private notification.

However, there are merits to the government’s plans. Many IoT and router botnets are being built by hackers who aim to take over devices with default passwords. Hackers can also build botnets to help with vulnerabilities in router firmware. However, the easiest way to assemble a botnet, is simply by collecting the ones that users have failed to secure with custom passwords.


What’s your password?

SplashData release an annual report covering the world’s most popular worst passwords. Undoubtedly a report that provokes an abundance of sniggers for those who read them, but massively worrying to cybersecurity professionals – hence the Japanese Government’s plan.

The most popular passwords in the world in 2018, were:

  • 123456
  • Password
  • 111111
  • Sunshine
  • Qwerty
  • Iloveyou
  • Princess
  • Admin
  • Welcome
  • 666666

Despite much-publicised warnings and data breaches of firms such as Facebook, Marriot, Google, Quora, Twitter – and even British Airways – people still continue to use weak passwords.

Some users admit that they find it hard to remember the long, complicated passwords they’ve been told to use in the past, leaving them perpetually locked and requesting new passwords from providers. Others have simply used the same passwords for years, often across multiple accounts and are examples of old habits dying hard.

While SplashData’s list is relatively tongue in cheek; intended to drive people towards its password management products, there is a serious message underlying: As data breaches become much more commonplace, users need to protect their data.


How to create a secure password

It’s reported that in Italy, users are now changing their passwords once a year, to remain secure. If you’re considering changing your password practices, there are a few simple things to get you on track.

Password length, for example, is important. To remember longer passwords, some people advise using a phrase, such as a line from a book or film, t help you remember. Cyber-criminals often use automated tools to gain access to passwords, and this approach helps make their task more difficult.

Security expert Brian Krebs advises:

Do not use words that can be found in the dictionary. Password-cracking tools freely available online often come with dictionary lists that will try thousands of common names and passwords. If you must use dictionary words, try adding a numeral to them, as well as punctuation at the beginning or the end of the world – or both!

Password management software is also a great place to store passwords, to help make them easier to remember. It’s advised never to store passwords in plain text documents, where they can be accessed online or on a device.

While it may seem old fashioned – and a bit crackers – many cybersecurity experts aren’t against good old paper books, listing passwords either. While perhaps worthy of a giggle, the logic behind this is sound – and simple: as long as the book doesn’t leave your house, a cyber-criminal won’t gain access. They’d have to physically break in to your house, defeating the point of being a cyber-criminal in the process.

Remember: if a service you use has been hacked, it’s vital you change your password straight away. Avoid using the same password across multiple sites – and change them as soon as possible if you do!