Japan: When government hack its own citizens for cybersecurity purposes

One Year before the Olympic Games in Tokyo, Japanese government passed a law which allows government to hack into Internet of Things devices of its own citizens. The survey will be carried out by employees of the National Institute of Information and Communications Technology (NICT) under the supervision of the Ministry of Internal Affairs and Communications will carry out the survey.

  « The Internet of Things (IoT) is the extension of Internet connectivity into physical devices and everyday objects. Embedded with electronics, Internet connectivity, and other forms of hardware (such as sensors), these devices can communicate and interact with others over the Internet, and they can be remotely monitored and controlled ».

According to ITPro, an international media group, there are more than 3.5 billion IOT devices in use in 2019 so far. Since 2015, the number has gone from millions to billions in the span of just one year; this rate is both exciting and alarming at the same time.

After the news about the massive hack on the Olympic Winter Games infrastructures in South Korea in 2018, Japan now launched this operation to avoid a second attack on the Olympic structures. According to the Washington Post and U.S. Intelligence, the Hackers in 2018 did so while trying to make it appear as though the intrusion was conducted by North Korea, what is known as a « false-flag » operation, said two U.S. officials who spoke on the condition of anonymity to discuss a sensitive matter.

The NICT started the operation in February 2019. Technically they are deploying a brute force attack which consists in trying, with an algorithm, by using dictionaries and standard passwords, to break into the devices of the citizen which have often no or just a very basic security. If their test is successful, they notify the concerned person so that they can change their passwords. In fact, most people are still using passwords like « 0000 » or « 1234 » which makes it very easy for hackers to break into devices such as routers. After they hacked the device, they use it as botnets in order to deploy attacks for example.

Even if the fear of the Japanese government is legitimate, some people in Japan are very offended by this operation. In fact, the government could as well simply notify its citizens without breaking into their systems. Moreover, the law allows them to do this “security-check” for 5 years from now on whereas the Olympic Games end in summer 2020. According to Forbes, the survey could involve more than 200 million IoT devices, starting initially with routers and webcams.

Another risk within this operation is that by sending the notification to affected citizens, the government opens the possibility to ill-intentioned people to send fake-notifications to those people in order to hack them or even control their IOT-Device to deploy an attack. If this happens, the government security-operation would be used exactly against its purpose.

In Japan, there are many IOT-Devices without any security and there are internet sites like Insecam, which is a search-engine for unsecured webcams. Moreover, there is another tool called Shodan, which allows its members to scan the internet for unsecured IOT-Devices. This operation, even if it is very controversial, shows the need of cybersecurity awareness and need of international legal standards in order to have a higher security by default on the IOT-Devices.

Tun Hirt
Master 2 Cyberjustice promotion 2018-2019


Laisser un commentaire