Japan's IoT Scanning Project: Insecure Devices FoundBut Port Scanning Project Found Small Number of Problematic Devices
Japan embarked on an ambitious project: scan its entire 200 million IPv4 address pool for insecure connected devices.
Their targets were devices such as routers, web cameras and sensors that use default login credentials as well as devices infected with malware such as Mirai, the IoT worm used for massive distributed denial-of-service attacks (see New Mirai Variant Exploits NAS Device Vulnerability).
The plan, called the National Operation Towards IoT Clean Environment, or NOTICE, involves alerting ISPs of problematic IP addresses. Then, those ISPs get in contact with their customers, who, in theory, could take action to secure their device.
Japan’s National Institute of Information and Communications Technology, or NICT, which ran the program, recently released an overview of the findings for fiscal 2019. The results are encouraging: The problems aren’t terrible, but they do highlight how many insecure devices are vulnerable.
National Security Concern: A Toaster
Many countries are increasingly worried about how the internet-connected devices in homes could be accessed by malicious actors and cybercriminals.
Weak credentials could allow access to private cameras, insecure routers could leak data and, even worse, home medical devices – used for remote patient monitoring – could risk someone’s life if tampered with or shut down.
Japan’s program is commendable and perhaps a model for other countries to improve the security of IoT devices, says cryptographer and security expert Bruce Schneier.
“The more countries that pay attention to this, the better we will do,” Schneier says. “The weird thing is that this is a national security concern. It’s kind of mind boggling that the security of your toaster actually affects national security, but it does.”
But Schneier says there is a weak link in Japan’s program: consumers.
“Telling consumers to do something that they don’t know how to do is not going to work,” Schneier says. “It’s like if I called you and told you there’s a problem with your car that you have to fix. It will just never get fixed.”
Schneier recently co-authored a position paper with the Atlantic Council advocating that regulations for U.S.-based retailers could ensure only secure IoT devices are sold. The idea is retailers will pressure their own suppliers to build more secure devices or risk losing the market (see How Amazon and Walmart Could Fix IoT Security).
“In order for this to work, it has to result in the government fining the companies,” Schneier says.
Weak Login Credentials
Japan’s project was born out of worry. The nation was slated to host the 2020 Olympics this summer, and it anticipated the event would increase its potential exposure to large-scale cyberattacks. Due to the COVID-19 pandemic, the sports event has been postponed until July 2021.
The scanning exercise has continued to provide crucial data on the security of consumer connected devices. NICT says that overall, the number of devices that have easily-guessed passwords or are infected with malware is small.
The project took an aggressive approach. It used a list of about 100 commonly used IDs and passwords, such as “root” and “user” and tried to log into devices. Consumers weren’t informed before the project started, and Japan revised its unauthorized computer access law to allow for the exercise.
The number of ISPs participating in the program has been steadily growing. As of the fourth quarter, 50 were on board, compared to 41 ISPs in the quarter before. About 110 million IPv4 addresses that belong to those ISPs have been scanned, NICT says.
Port-scanning surveys are conducted once a month. A recent survey found 100,000 devices open to the internet that would accept authentication credentials. Of those, 2,249 would accept weak access credentials, NICT says.
The average number of notifications sent to ISPs for devices that appear to be infected with malware is 162 per day, NICT says. There was a notable spike this year, however.
The number of notifications sent to ISPs dramatically jumped from the end of February through March, NICT says. The reason so many more detections occurred is believed to be due to variants of Mirai, which suddenly activated. On two days, the notifications numbered more than 500.
Whether other countries will see enough value in Japan’s project to adopt it remains to be seen. While it's questionable whether consumers will even be able to fix an insecure device, at minimum, Japan’s program at least gives an accurate scope of the problem.