This post is also available in: heעברית (Hebrew)

Internet of Things (IoT) devices have a deserved reputation for being insecure, and Japan wants to do something about it. The country has just passed a new law, allowing the government to hack into citizens’ IoT devices and compile a list of those that are at risk. The official hacking campaign is part of a survey that will be conducted by employees of the National Institute of Information and Communications Technology (NICT) and overseen by the Ministry of Internal Affairs and Communications. As is the case with many IoT hacks, the government agency will use default passwords to try and break into the devices. It will also use password dictionaries to see if users have picked easily guessed credentials.
Once the list of insecure devices has been compiled, it will be passed on to the authorities and internet service providers so customers can be alerted and change their passwords. The testing of over 200 million IoT devices will begin next month, starting with routers and web cameras. Both the general public and enterprise users will have their devices probed.
According to, the campaign is initiated due to the ever closer 2020 Olympic Summer Games, which are being held in Tokyo. With concerns over hackers using IoT devices to launch an attack on the Games’ IT infrastructure, the government is taking extreme measures to try and secure this avenue of attack. The fear is probably justified; Russia’s Main Intelligence Directorate (GRU) reportedly launched malware during the opening ceremony of the 2018 Winter Olympics. It disrupted internet and broadcast systems and took down the ticketing site for 12 hours.
In January next year, California will introduce the country’s first Internet of Things security law, which requires manufacturers to implement “reasonable security features.” It specifies that devices come with their own unique passwords, but many say it doesn’t go far enough.
Unsurprisingly, Japan’s citizens are far from happy about the government hacking them, arguing that it should have just sent out notifications about making sure their IoT devices are secure.