Access Management , Endpoint Security , Governance & Risk Management

Japan's IoT Scanning Project: Insecure Devices Found

But Port Scanning Project Found Small Number of Problematic Devices
Japan's IoT Scanning Project: Insecure Devices Found
Tokyo's skyline (Photo: Derrick Brutel via Flickr/CC)

Japan embarked on an ambitious project: scan its entire 200 million IPv4 address pool for insecure connected devices.

See Also: How to Empower IT with Immutable Data Vaults

Their targets were devices such as routers, web cameras and sensors that use default login credentials as well as devices infected with malware such as Mirai, the IoT worm used for massive distributed denial-of-service attacks (see New Mirai Variant Exploits NAS Device Vulnerability).

The plan, called the National Operation Towards IoT Clean Environment, or NOTICE, involves alerting ISPs of problematic IP addresses. Then, those ISPs get in contact with their customers, who, in theory, could take action to secure their device.

Japan’s National Institute of Information and Communications Technology, or NICT, which ran the program, recently released an overview of the findings for fiscal 2019. The results are encouraging: The problems aren’t terrible, but they do highlight how many insecure devices are vulnerable.

National Security Concern: A Toaster

Many countries are increasingly worried about how the internet-connected devices in homes could be accessed by malicious actors and cybercriminals.

Weak credentials could allow access to private cameras, insecure routers could leak data and, even worse, home medical devices – used for remote patient monitoring – could risk someone’s life if tampered with or shut down.

Japan’s program is commendable and perhaps a model for other countries to improve the security of IoT devices, says cryptographer and security expert Bruce Schneier.

Bruce Schneier

“The more countries that pay attention to this, the better we will do,” Schneier says. “The weird thing is that this is a national security concern. It’s kind of mind boggling that the security of your toaster actually affects national security, but it does.”

But Schneier says there is a weak link in Japan’s program: consumers.

“Telling consumers to do something that they don’t know how to do is not going to work,” Schneier says. “It’s like if I called you and told you there’s a problem with your car that you have to fix. It will just never get fixed.”

Schneier recently co-authored a position paper with the Atlantic Council advocating that regulations for U.S.-based retailers could ensure only secure IoT devices are sold. The idea is retailers will pressure their own suppliers to build more secure devices or risk losing the market (see How Amazon and Walmart Could Fix IoT Security).

“In order for this to work, it has to result in the government fining the companies,” Schneier says.

Weak Login Credentials

Japan’s project was born out of worry. The nation was slated to host the 2020 Olympics this summer, and it anticipated the event would increase its potential exposure to large-scale cyberattacks. Due to the COVID-19 pandemic, the sports event has been postponed until July 2021.

The scanning exercise has continued to provide crucial data on the security of consumer connected devices. NICT says that overall, the number of devices that have easily-guessed passwords or are infected with malware is small.

The project took an aggressive approach. It used a list of about 100 commonly used IDs and passwords, such as “root” and “user” and tried to log into devices. Consumers weren’t informed before the project started, and Japan revised its unauthorized computer access law to allow for the exercise.

NICT’s fiscal 2019 summary of its program that scans the internet for insecure connected devices

The number of ISPs participating in the program has been steadily growing. As of the fourth quarter, 50 were on board, compared to 41 ISPs in the quarter before. About 110 million IPv4 addresses that belong to those ISPs have been scanned, NICT says.

Port-scanning surveys are conducted once a month. A recent survey found 100,000 devices open to the internet that would accept authentication credentials. Of those, 2,249 would accept weak access credentials, NICT says.

The average number of notifications sent to ISPs for devices that appear to be infected with malware is 162 per day, NICT says. There was a notable spike this year, however.

The number of notifications sent to ISPs dramatically jumped from the end of February through March, NICT says. The reason so many more detections occurred is believed to be due to variants of Mirai, which suddenly activated. On two days, the notifications numbered more than 500.

Whether other countries will see enough value in Japan’s project to adopt it remains to be seen. While it's questionable whether consumers will even be able to fix an insecure device, at minimum, Japan’s program at least gives an accurate scope of the problem.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.