March 29, 2024 New “NOTICE” Launched to Promote Security Improvement for IoT Devices

 Given the continued occurrence of cyberattacks that abuse IoT devices due to changes in the environment, such as the emergence of new threats with more sophisticated cyberattack methods, the new “NOTICE (National Operation Towards IoT Clean Environment)” project has been initiated to promote the improvement of security for IoT devices.

1. Background

 Cyberattacks like DDoS attacks*1, which abuse IoT devices, continue to occur. To address this situation, in addition to investigating IoT devices with vulnerabilities regarding ID and password, the new “NOTICE” was initiated in FY2024 by establishing a new*2 advisory service for cybersecurity measures that target IoT devices installed with vulnerable firmware and IoT devices that are already infected with malware.

• *1
  Many cases have been reported where third parties take over IoT devices such as routers or network cameras and become the source of DDoS attacks; large volumes of data are sent from multiple devices to the attack destination. The occurrence of DDoS attacks causes damage, such as a drop in communication speed due to congestion of networks.
• *2
  NOTICE has been newly established by an Act (Act No. 87 of 2023) that partially amends the Act on the National Institute of Information and Communications Technology (NICT).

2. Overview of the new “NOTICE”

 The following initiatives are specifically being implemented to suppress the occurrence and damage caused by cyberattacks that abuse IoT devices.

• The publicity activities for security control measures to prevent the abuse of IoT devices will be enhanced.
• The investigation of identifying IoT devices with ID and password vulnerabilities that was to be conducted by the National Institute of Information and Communications Technology (NICT) up to the end of FY2023 will be continued beyond FY2024, and the call for attention through the framework of “NOTICE” will be continued.
• Observation of “IoT devices with vulnerabilities in the firmware” will be newly positioned as a task of NICT, and the call for attention through the framework of “NOTICE” will be implemented.
• Provision of information on “IoT devices already infected with firmware” will be positioned as a task of NICT, and the call for attention through the framework of “NOTICE” will be continued.
• Besides the Internet Service providers with whom cooperation has been established, the relationship with IoT device manufacturers and other security institutions will be strengthened.

3. Enhance publicity activities concerning the new “NOTICE”

 To suppress the occurrence and damage caused by cyberattacks, appropriately managing the IoT devices connected to the Internet is important to prevent abuse by third parties. In most cases, abuse can be prevented if appropriate measures are implemented.
 The activities of “NOTICE” have shown that the most abused IoT devices are routers and network cameras. Therefore, the following publicity activities are being conducted, mainly targeting users who have installed routers and network cameras to disseminate awareness regarding the risk of abuse of IoT devices, security control measures to prevent such abuse, and encourage regular measures.

[ Formulation of the new “NOTICE” PR concept ]
 A new publicity concept, “Now! Lock up the gateway.” was formulated to establish the security control of IoT devices. The logo of NOTICE has also been updated to a shield motif, and the goal of the “NOTICE” project is to spread the message that we all need to prevent the abuse of IoT devices.

• Notification of basic security control measures
  A flyer summarizing security control measures for IoT devices on the Internet will be published as a checklist and distributed.
• Enhancement of information dissemination by renewal of the NOTICE website
   The content has been completely revised from the perspective of promoting routine security management measures for IoT devices on the Internet. New content has been enhanced to help understand the hijacking of IoT devices and cyberattacks that use IoT devices as a launching pad and content to learn the security control measures for IoT devices.
          NOTICE Web site: https://notice.go.jp/
• Web video distribution to raise awareness regarding the abuse risks of IoT devices.
   Web videos will be distributed on the Ministry of Internal Affairs and Communications YouTube channel from April onwards to enhance awareness of the risk of IoT devices being abused on the Internet and promote understanding of the necessity of security control measures.