(Mis)Uses of Technology
By now we've established pretty clearly that the well-hyped "internet of things" sector couldn't actually care less about security or privacy. Companies are in such a rush to cash in on our collective thirst for internet connected tea kettles and not-so-smart televisions, they don't much care if your new gadget was easily hacked or integrated into a DDoS botnet. And by the time security and privacy flaws have been discovered, companies and consumers alike are off to hyperventilate about the next must-have gadget, leaving untold millions of devices in the wild as new potential points of entry into home and business networks.
While most countries hem and haw without doing much of anything about the problem, Japan's government this week proposed a unique legislative solution. A new Japanese law (pdf) passed this week authorizes the Japanese government to actually hack into poorly-secured internet of things devices as part of the country's attempt to conduct a survey measuring the real scale of the problem:
"The survey will be carried out by employees of the National Institute of Information and Communications Technology (NICT) under the supervision of the Ministry of Internal Affairs and Communications. NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers' IoT devices.
Devices shipped with default username and passwords that users are too lazy (or technically incompetent) to change continue to be a huge problem in IOT devices and routers alike. Once the Japanese government has confirmed the vulnerability, it intends to send notices to impacted users in a bid to try and scare them into actually securing the devices. A Ministry of Internal Affairs and Communications report (pdf) was quick to note that attacks targeting poorly-secured IOT devices comprised two-thirds of all cyberattacks in 2016.
Obviously letting the government hack into consumer and business devices isn't being welcomed warmly in Japan, where many understandably don't trust government with such a task. But it's worth noting these kinds of "solutions" are only emerging in the wake of years of apathy contributing to a global crisis. A crisis many experts say will, inevitably, result in potential mass casualties as essential infrastructure becomes increasingly vulnerable. Collectively we've largely yawned at the problem since much of its impact is what security expert Bruce Schneier calls "invisible pollution:
"The market can't fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don't care. Their devices were cheap to buy, they still work, and they don't know any of the victims of the attacks. The sellers of those devices don't care: They're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."
While other solutions for this problem are being explored (like mandating the inclusion of privacy and security issues in product reviews), they've been few and far between in actually materializing, since giving a damn will actually cost money. Experts like Schneier have long argued that given this market and consumer failure, government needs to play some role in coordinating some rules of the road for flimsy IOT security. Perhaps letting government itself hack into your poorly secured Barbie is a bridge too far (who'd follow up to confirm government didn't abuse the privilege?). But if that's the case, what's the solution?
Filed Under: hacking, iot, japan, nict, proactive hacking, security