by Masakok Wakae
The government is setting out to develop comprehensive cyberdefense measures targeting internet of Things (IoT) devices to prepare for the upcoming 2020 Tokyo Olympic Games. It plans to start surveying domestic networks from September to identify IoT devices that are vulnerable to cyberattacks and warn users of lurking threats. However, legal barriers stand in the way of implementing some effective measures. The government will revisit regulations such as Unauthorized Computer Access Law and Telecommunications Business Act.
Exemption from “unauthorized access” status
“We want to root out ‘stray’ IoT devices,” says one high-ranking Ministry of Internal Affairs and Communications (MIC) official behind the large-scale IoT device survey from September. Stray IoTs refer to neglected IoT devices with little or no security features that will go unnoticed by users when hacked.
While connected refrigerators and cameras can be useful, IoT devices could place users at risk when they are used under vulnerable conditions like failing to change default IDs and passwords or neglecting to keep up to date on security patches for software. Hackers could easily convert these devices into ‘vehicles’ for their cyberattacks.
Last autumn, over 500,000 IoT devices were infected with the Mirai virus, which hackers took advantage of to orchestrate a larger cyberattack. The devices that were leveraged in this case were stray IoTs.
Cyber criminals use a method called port scanning to determine which IoT device ports are open. Ports are like windows where information is sent and received, and when they are left open unnecessarily, intruders can break in.
Once attackers find an open window, they would then check the ‘lock’ to the safe; this means that the assailant would try various IDs and passwords to see if the safe would open. The Mirai entered some 60 combinations of factory-set default IDs and passwords and cracked over 500,000 devices. In other words, there were at least that many connected devices with lax security.
Expanding the scope of exemption
“Defenders could prevent attacks if they could identify stray IoTs by port scanning and cracking passwords and educating users to reinforce security,” points out the aforementioned senior official, and that is exactly what the government wants to do.
“We have been able to address less than 10% of cases,” laments one expert as regulations stand in the way.
The Unauthorized Computer Access Law prohibits and penalizes all forms of unauthorized access, which involves accessing computers by inputting others’ IDs and passwords without permission, even if it is to access vulnerabilities for research purposes. However, no clear standard has been developed to determine whether entering factory-set default passwords that are publicized by manufacturers constitutes a crime. Although the scope of the investigation has not been made clear, only a small portion of vulnerable devices are expected to be found through this study. Even if public default settings are allowed use, it will not be as comprehensive as the 60 input combinations Mirai perpetrators used.
“Currently, cybercriminals have uncontrolled license to attack and defenders are unable to get an accurate assessment of the status quo. The Unauthorized Computer Access Law needs to be amended to exempt some research institutions,” asserts Takayoshi Hojo, an attorney specializing in cybercrimes.
Review required for the Telecommunications Business Act
The Telecommunications Business Act also stands in the way when identified vulnerable devices are communicated to users.
This is a stringent law that protects the privacy of communication, not only the content of the communication but also identifiable user information such as IP addresses. In the past several years, MIC has been meeting regularly with experts to better respond to cyber threats and to clarify its positions on specific cases. The ministry allows users to be identified and to block communication for terminals that are infected with viruses or had a hand in cyberattacks.
However, there are cases in which the ministry has yet to express its position. While there are clear security risks, it is unclear if there are virus infections. For this reason, only a small group of high risk cases will be notified to users.
“It would take way too long to have an expert panel study individual cases every time an issue arises. It would delay responses too much,” laments one specialist. “Regulations need an overhaul as new cyberattack methods are constantly being developed.”
Germany updated its communications act to mandate telecommunications companies to notify their users when they identify infected terminals and devices that are being exploited by hackers.
The government needs to develop standards that outline the scope of responsibilities for IoT device makers and distributors. While it will be increasingly important for manufacturers to design and develop safe products, responding to post marketing products will be just as critical. Currently, however, there is no legal basis to require companies to do so.
There is a growing trend in the U.S. to hold manufacturers accountable for weaknesses in IoT devices. In January of this year, the Federal Trade Commission filed a lawsuit against a manufacturer called D-Link for not taking appropriate steps to secure their routers and webcams.
The government plans to identify and address legal challenges through its upcoming investigation. However, Japan’s legal system is in dire need of reforms in other areas besides cyberspace. For example, maintaining a database of viruses that is often practiced overseas. While it is not considered a crime to keep a database for research purposes, it is not clear what kind of use constitutes research, discouraging domestic development of such databases. “Government guidelines are needed to clarify the scope of what is possible and what is not under current law to eliminate ambiguous gray zones,” points out Hojo.