Starting next month, the Japanese government is going to try its hand at credential stuffing the country’s Internet of Things (IoT), including gizmos at both the enterprise network level down to citizens’ “oops, never changed the default password!” webcams and everything in between.
Credential stuffing is when attackers grab login credentials that have been breached, then e-wander around plugging them into other places, trying to find out where else those same credentials have been used. Because a lot of users have the bad habit of reusing the same passwords across several websites, the tactic is successful far too often.
The plan: in mid-February, staff at the National Institute of Information and Communications Technology (NICT) will generate user IDs and passwords and use them to try to break into a randomly selected batch of about 200 million IoT devices, such as routers and webcams.
Then, the owners of the breached devices will be told to bolster their cybersecurity.
The aim is to shrink the surface area available to attackers in the run-up to the Tokyo Olympics and Paralympics in 2020. That’s not a bad idea: after all, some systems went down around the time of the opening ceremony for the Winter Olympics in Pyeongchang, South Korea, last year.
We never did hear exactly what happened with the Winter Olympics 2018 incident, though some US intelligence operators reportedly blamed Russia, which, they said, tried to make it look like North Korea did it.
While the goal is to clean up for the Olympics, the collateral will be, hopefully, far greater security in general. The NICT has reported that IoT devices are at the heart of a large number – 54% – of the cyber attacks it detected in 2017.
Little devices add up to brawny botnets
IoT devices might seem like small potatoes, computing-wise, but they can be corralled into swarms that can do a lot of damage.
The FBI believes that Russia was behind a giant-sized IoT botnet known as VPNFilter that sprung up in May 2018. The bureau believes that VPNFilter was created by the Russian Fancy Bear group, also known as Sofacy Group or apt28, among other names.
At the time, more than 500,000 devices around the world were believed to have been infected with the malware, most of them consumer internet routers from a range of different vendors.
More recently, a Bay Area family was terrorized when their IoT Nest security camera got hijacked by an attacker who used it to broadcast a fake warning about three incoming intercontinental ballistic missiles (ICBM) launched from North Korea.
Unfortunately, just as it’s far too common for people to reuse passwords or fail to change their IoT devices’ default passwords, so too is it common, and easy as pie for researchers and creeps alike, to use a search engine like Shodan, which roams the web looking for the unsecured devices.
By wandering the internet to find vulnerable devices, the Japanese government isn’t doing anything particularly novel. It well might feel like Big Brother is prying into its citizens’ webcams or other IoT devices, because, well, it is. But it’s not doing anything that security researchers or ne’er-do-wells aren’t also doing.
How to keep everyone out of your IoT
Whether or not a government should take such things upon itself is a discussion worth having. But in the short term, the news should be a call to arms for us all, be we Japanese or citizens from any other nation, to lock down our devices.
After all, the NICT researchers could well stumble upon citizens’ webcam images or stored data, as pointed out by Institute of Information Security professor Harumichi Yuasa.
Yuasa said that if device owners’ identities are revealed in the survey, it would be a violation of their constitutional right to privacy. The institute says any data it finds will be kept private, and that the institute will ensure that no data is leaked.
There’s no reason to doubt those promises, but let’s face it, data leaks. Why take the chance? Nobody should wait until the NICT, or hackers, or security researchers, come knocking on their IoT devices. Instead, we should all think about taking these steps to lock them down:
- Learn how to secure a baby monitor or other IP cameras.
- Don’t reuse passwords. Instead, use unique, hard-to-guess passwords for every online service and site.
- If you can only remember one strong password, try a password manager.
- Use (2SV), also known as multiple- or two-factor authentication (MFA or multi-factor authentication (MFA) whenever possible. It ain’t perfect, but it ain’t too shabby, particularly if you can opt for the most secure option: a FIDO U2F (or the more recent FIDO2) hardware token such as the YubiKey.