January 28, 2020 Implementation Status of Alerting Users of Vulnerable IoT Devices and IoT Devices Infected with Malware (3rd Quarter of FY2019)

In recent years, the number of cyberattacks abusing IoT devices has been increasing, and users themselves must take appropriate security measures.
The Ministry of Internal Affairs and Communications (MIC), the National Institute of Information and Communications Technology (NICT), and ICT Information Sharing and Analysis Center Japan (ICT-ISAC) in cooperation with Internet Service Providers (ISPs) are taking a project called "National Operation Towards IoT Clean Environment (NOTICE)" to investigate IoT devices that may be exploited for cyberattacks due to vulnerable ID and password settings. Furthermore, MIC, NICT, and ICT-ISAC are making use of NICT’s "Network Incident analysis Center for Tactical Emergency Response (NICTER)" project to alert users of IoT devices found to have been infected with malware.
MIC, NICT, and ICT-ISAC have compiled a summary of their efforts to network safety up to the 3rd quarter of fiscal 2019 and decided to open the summary to the public.

1. Background

In the age of IoT/AI, everything is being connected to a network, such as the Internet. Cybersecurity for them is a critical issue from the viewpoint of the safety and security of people's lives and their social and economic activities.
While IoT devices have become widespread, cyberattacks targeting IoT devices have been increasing in recent years. IoT devices such as sensors and webcams have limited device performance, difficulty in receiving sufficient maintenance servicing, and a long life cycle, and due to these characteristics, they are easily targeted by cyberattacks. IoT devices with inadequate security measures can be infected with malware and abused in cyberattacks. In other countries, serious damage has been reported, including internet outage caused by large-scale cyberattacks (DDoS attacks) that abuse IoT devices. The need for countermeasures is increasing in Japan as well for the forthcoming 2020 Olympic and Paralympic Games in Tokyo.
With consideration of this situation, "the amendment of the Telecommunications Business Act and the Act on The National Institute of Information and Communications Technology" came into force on Thursday, November 1, 2018, to add NICT’s work with a survey (within a five-year time limit) on devices that could be abused in cyberattacks.

2. Overview of IoT device survey and efforts to alert users

1. NOTICE

Based on the above institutional revision, MIC and NICT, in cooperation with ISPs, have decided to start a project called "National Operation Towards IoT Clean Environment (NOTICE)" on February 20, 2019. In the NOTICE project, NICT makes a survey on IoT devices that can be exploited for cyberattacks due to easily guessed passwords and provide ISPs with information on the IoT devices. The ISPs receiving the notification identify the users of the devices and issues an alert. The above survey checks whether the password set on each IoT device can be easily guessed (such as “password” or “123456”) with no infringement of the secrecy of communication. Strict security management measures will be taken for the information obtained through the survey based on NICT’s implementation plan approved by the Minister of Internal Affairs and Communications.

2. Alerting users of IoT devices infected with malware

MIC, NICT, ICT-ISAC, and ISPs have collaborated to implement project since June 2019 to alert users of IoT devices already infected with malware. In this project, NICT uses information obtained from the NICTER project and detects devices that are communicating due to malware infection, and the ISPs specify the users of the devices.

3. NOTICE Support Center

The NOTICE Support Center (or an ISP’s support center depending on the ISP) guides users to appropriate security measures by responding to inquiries from the users via the website or telephone. Parties other than users’ ISPs will not call or visit the users.

NOTICE Support Center

Tel.: 0120-769-318 (toll-free, landline only)
03-4346-3318 (charged)

• 1.
  https://notice.go.jp
• 2.
  https://notice.go.jp/nicter

3. Implementation status

The status of implementation until the 3rd quarter of fiscal 2019 is as follows (the status in parentheses shows the status of implementation until the 2nd quarter of fiscal 2019).

• Participating ISPs: 41 companies (34 companies)
• Surveyed IP addresses: About 110 million addresses (about 100 million addresses)
• Results

Result of NOTICE project

• 1.
  Of the surveyed IP addresses, those for which ID and password could be entered.
  → About 111,000 cases (about 98,000 cases) in the latest survey.
• 2.
  Of the above, those that can be logged in with IDs and passwords and were alerted
  → 1,328 cases in total (505 cases in total)

Result of alerting users of IoT devices infected with malware

• 3.
  Cases reported to ISPs
  → 60 to 598 cases per day (80 to 559 cases per day)

The number of cases of (1) and that of (2) above have increased from the 2nd quarter. This is considered to be due to an expansion of the surveyed IP addresses and improvements in the survey program, and MIC recognizes that there is no significant change in the percentage of vulnerable IoT devices.
MIC also recognizes that there is no significant change in the number of cases mentioned in (3) from the long-term observation trends in the NICTER project.
At present, MIC considers that a small number of IoT devices have set easily guessed IDs and passwords or that have already been found to be infected with malware. It is expected that malware infection activities on IoT devices will continue in the future. Users need to continue taking thorough security measures, such as setting appropriate IDs and passwords and updating the firmware to the latest version.
MIC, NICT, and ICT-ISAC will continue the above projects in cooperation with more ISPs and work on improving security measures for IoT devices, and grasp the status of malware activities that will abuse IoT devices.

• ^*1.
  IoT: Internet of Things. A device that can connect to the Internet.
• ^*2.
  The NICTER project uses a cyberattack observation, analysis, and countermeasure system aimed at quickly responding to large-scale attacks that may occur on the Internet, and conducts a large-scale observation of cyberattacks by darknets and various honeypots and the cause of cyberattacks (i.e., malware).