May 15, 2020 Implementation Status of Alerting Users of Vulnerable IoT Devices and IoT Devices Infected with Malware (FY2019)

  In recent years, the number of cyberattacks abusing IoT devices has been increasing, and users themselves must take appropriate security measures.
  The Ministry of Internal Affairs and Communications (MIC), the National Institute of Information and Communications Technology (NICT), and ICT Information Sharing and Analysis Center Japan (ICT-ISAC) in cooperation with Internet Service Providers (ISPs) are taking a project called National Operation Towards IoT Clean Environment (NOTICE) to survey IoT devices that may be exploited for cyberattacks due to vulnerable ID and password settings. Furthermore, MIC, NICT, and ICT-ISAC are making use of NICT’s Network Incident analysis Center for Tactical Emergency Response (NICTER) project to alert users of IoT devices found to have been infected with malware.
  MIC, NICT, and ICT-ISAC have compiled a summary of their efforts to network safety in fiscal 2019 and decided to open the summary to the public.

1. Background

In the age of IoT/AI, everything is being connected to a network, such as the Internet. Cybersecurity for them is a critical issue from the viewpoint of the safety and security of people’s lives and their social and economic activities.
While IoT devices have become widespread, cyberattacks targeting IoT devices have been increasing in recent years. IoT devices such as sensors and webcams have limited device performance, difficulty in receiving sufficient maintenance servicing, and a long life cycle, and due to these characteristics, they are easily targeted by cyberattacks. IoT devices with inadequate security measures can be infected with malware and abused in cyberattacks. In other countries, serious damage has been reported, including internet outage caused by large-scale cyberattacks (DDoS attacks) that abuse IoT devices. The need for countermeasures is increasing in Japan as well for the forthcoming 2020 Olympic and Paralympic Games in Tokyo.
With consideration of this situation, “the amendment of the Telecommunications Business Act and the Act on The National Institute of Information and Communications Technology” came into force on Thursday, November 1, 2018, to add NICT’s work with a survey (within a five-year time limit) on devices that could be abused in cyberattacks.

2. Overview of IoT device survey and efforts to alert users

1. NOTICE-alert (to alert users of vulnerable IoT devices)

Based on the above institutional revision, MIC and NICT, in cooperation with ISPs, have decided to start a project called “National Operation Towards IoT Clean Environment (NOTICE)” on February 20, 2019. In the NOTICE project, NICT makes a survey on IoT devices that can be exploited for cyberattacks due to easily guessed passwords and provide ISPs with information on the IoT devices. The ISPs receiving the notification identify the users of the devices and issues an alert.
The above survey checks whether the password set on each IoT device can be easily guessed (such as “password” or “123456”) with no infringement of the secrecy of communication. Strict security management measures will be taken for the information obtained through the survey based on NICT’s implementation plan approved by MIC.

2. NICTER-alert (to alert users of IoT devices found to have been infected with malware)

MIC, NICT, ICT-ISAC, and ISPs have collaborated to implement the project since June 2019 to alert users of IoT devices found to have been infected with malware. In this project, NICT uses information obtained from the NICTER project and detects devices that are communicating due to malware infection, and the ISPs specify the users of the devices.

3. NOTICE Support Center

The NOTICE Support Center (or an ISP’s support window depending on the ISP) guides users to appropriate security measures for (1) and (2) by responding to inquiries from the users via website or telephone.
Parties other than users’ ISPs will not call or visit the users.

  • NOTICE Support Center
Tel 0120-769-318 (toll-free, landline only)
03-4346-3318 (charged)

Reception hours: 10:00 am - 6:00 pm (excluding year-end and New Year holidays)

3. Implementation status

A total of 50 ISPs completed the participation procedure by the fourth quarter of fiscal 2019 and surveyed approximately 110 million IP addresses (41 ISPs completed the procedure by the third quarter of fiscal 2019 and surveyed approximately 110 million IP addresses).
Regarding NOTICE-alerts, a survey is conducted approximately once a month. Of the IP addresses recently surveyed, approximately 100,000 IP addresses accepted IDs and passwords (approximately 111,000 IP addresses did by the third quarter). Of these, a total of 2,249 IP addresses (a total of 1,328 IP addresses by the third quarter) accepted logins with specific IDs and passwords and were alerted (notified to ISPs). The number of alerts has been around 300 per month since a survey program was significantly improved last summer. Although users are taking precautions and countermeasures, MIC, NICT, and ICT-ISAC recognize that there is no major change as a whole because some devices have been newly identified as problematic. For the prevention of the spread of novel coronavirus, NICT canceled the survey for April 2020 since NICT suspended staff member work assignments.
As for NICTER-alerts, the information detected by the NICTER project has been notified to ISPs daily, and the average number of alerts per day was 162 (176 by the third quarter). In the fourth quarter of fiscal 2019, the number of notifications increased temporarily from the end of February 2020 to the beginning of March. This was probably due to a temporary increase in the activity of malware (a Mirai variant). Still, MIC, NICT, and ICT-ISAC recognize that there is no significant change in the percentage of vulnerable IoT devices.
At present, MIC considers that a small number of IoT devices have set easily guessed IDs and passwords or have already been found to be infected with malware. It is expected that malware infection activities on IoT devices will continue in the future. Users need to continue taking thorough security measures, such as setting appropriate IDs and passwords and updating the firmware to the latest version.
MIC, NICT, and ICT-ISAC will continue the above projects in cooperation with more ISPs and work on improving security measures for IoT devices, and grasp the status of malware activities that will abuse IoT devices. Furthermore, various information regarding these projects will be announced on a dedicated website (https://notice.go.jp/en Open a new window).
The following website shows a summary of these projects and its implementation status.
https://www.soumu.go.jp/main_content/000687300.pdf PDF

  • *1
    IoT: Internet of Things. A device that can connect to the Internet.
  • *2
    The NICTER project uses a cyberattack observation, analysis, and countermeasure system aimed at quickly responding to large-scale attacks that may occur on the Internet, and conducts a large-scale observation of cyberattacks by darknets and various honeypots and analyzes the cause of cyberattacks (i.e., malware).

Contact

For further information about this press release, please fill in the inquiry form and submit it to MIC on the website
https://www.soumu.go.jp/common/english_opinions.html

International Policy Division, Global Strategy Bureau, MIC

TEL: +81 3 5253 5920

FAX: +81 3 5253 5924