State Sponsored Probing Internet of Things Devices
In order to beef up security of consumer based Internet of Things devices, Japan will now scan IoT devices within its borders. Beginning mid-February, the National Institute of Information and Communications Technology will attempt to break into an estimated 200 million devices. The institute has compiled a list of generic usernames and passwords commonly used by manufacturers for default login credentials. Is this a good thing?
In 2018, the FBI warned citizens of a potential threat to their home routers to reset them (Why the FBI wants you to reboot your router — and why that won’t be enough next time). In 2016 Duetsche Telekom in Germany was down due to an infection of consumer based routers which affected 900,000 consumers (900,000 Routers Knocked Offline in Germany amid Rumors of Cyber-Attack). It took the telecom provider two days to get the word out as most, if not all, of its customers used it for data and voice. Why did it take so long and how did 900,000 routers get infected? One simple answer, the management interface was exposed to the public internet. This allowed the botnet to quickly infect consumer based routers. Once a router became infected, it then scanned the internet looking for other routers to infect.
Japan’s attempt to detect unsecured IoT devices is a good thing, to a point. The Institute has not come out to say what they will do when an unsecured device is detected. Will they send notices to citizens? How will manufacturers be held accountable? What types of fines will be given for poorly secured consumer IoT devices? This is definitely a step in the right direction however it does not appear at this time that they have fully thought through the repercussions.