The Japanese government has passed a new law which will allow them to access IoT devices in JApan with default username and password. In effect the National Institute of Information and Communications Technology (NICT) employee will attempt to login to some randomly selected 200 million devices. The issue is that people do not change the default username and password. The technic is known as credential stuffing. When the NICT staffers found devices with their default credentials they will contact their Internet Service Provider which will in turn reach out to the owner and give security recommendations.
NICT has reported that IoT devices were the culprit of a growing number of cyber attacks. IoT devices attacks accounted more than half (some 54% to be precise), of the cyberattacks that it detected back in 2017.
The government’s move is to minimises disruption of the upcoming Olympic Games by a cyber attack. Back in February 2018, the South Korea Olympic Games were halted by a multistage piece of malware duped Olympic Destroyer. The Japanese government is certainly trying to mitigate similar risk as big games have become popular primarily target. Japan has a massive IoT base of cams, routers, DVRs in its country.
I am sure a lot of governments are paying a close attention to how this develops. It might set precedence. Watch this space.
