By Corey Moss
Dark Reading, January 28 2019:
A new law in Japan allows the nation’s National Institute of Information and Communications Technology (NICT) to hack into citizens’ personal IoT equipment as part of a survey of vulnerable devices. The survey is part of an effort to strengthen Japan’s network of Internet of Things devices ahead of the 2020 Tokyo Olympic games.
The survey will begin in February with a trial run of 200 million Web cams and modems. NICT employees will attempt to log into the devices using default account names and passwords, and when they find a vulnerable device, they will alert the ISP and local authorities so the device owner can be contacted and given security recommendations.
It’s come to this – a law spurred on by the 2020 Olympics.
I wrote this blog article in October 2017: IoT – Where Are We? Part 1: Technology Fear Factor and the Industry Discussion – a passage from it:
Who in the AV industry are true knowledge-base experts like Brian Krebs, or others whose careers are based in security research and discussion as well as IoT – that which is at times perceived as a “fear factor” technology in AV?
I’ve pointed to Brian Krebs numerous times in articles I have written about cybersecurity as one of the major authorities. Many in the industry are also aware of Ricky Lawshae (Headless Zeke), an offensive security researcher at Trend Micro who presented research at the DefCon hacking conference last August concerning Crestron touchpanel vulnerabilities (over two dozen). *
See more about Ricky – known for ‘spending his days breaking interesting things in interesting ways with his focus mainly centered on IoT research’ – on this page.
In fact Ricky had joined a few of us in a Twitter conversation recently, and he even pointed out something I had gotten wrong about the Crestron vulnerability scenario, which I certainly appreciated. He stuck around to converse with us for a little while which I know all appreciated.
Lately the conversation about devices and security has amplified in the AV industry, where there is a search for answers – and expertise. In fact it happened this past weekend in the #AVinTheAM discussion on Twitter. IoT and vulnerabilities were a part of the discussion.
A good one from Eric Cantrell and Malissa Dillman:
I added (which was brought up here by Eric):
In California, Governor Jerry Brown signed a bill covering “smart” devices, making California the first state with such a law. SB-327, was introduced last year and passed the state senate in late August. Beginning January 1st, 2020, any manufacturer of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security features, designed to prevent unauthorized access, modification, or information disclosure.
The bill has been met with criticism as well. Cybersecurity expert Robert Graham has been one of its harshest critics where he talks about how this is a backwards approach to security by focusing on adding “good” features instead of removing bad ones that open devices up to attacks.
Where I say that it’s more in terms of research and analysis (as done by security researcher Ricky Lawshae), rather than a law passed which doesn’t state the true necessities for protection against vulnerabilities. And as we all know, no IoT device is truly unhackable. However paying attention to expert security research (reference also to White Hat – ethical hacker) will help to avoid vulnerabilities by staying close in the know concerning device updates and patches.
Another interesting challenge has been posed, and this does represent a great amount of motivation for me – it was put out there in relation to integrators sending out weekly security emails to clients, to make them aware of newly discovered vulnerabilities and patches for devices.
Yet another tech approach challenge that I will willingly accept.
And more to come…
*There were no hacks reported and Crestron released a patch to fix all issues. Here is the article.
With over 20 years in audio visual integration and IT/computer sales and consulting, Corey Moss is the owner of Convergent AV. Corey writes for the publication and hosts/produces podcasts – The AV Life, Convergent Tech Talk, Convergent Week and The AV Tech Trade. He has written for numerous industry publications about AV, IT, unified communications and collaboration (UCC), cloud and software, IoT, cybersecurity and more. He has also conducted interviews with AV and IT executives and global influencers. Find him talking about a whole lot of things, tech and otherwise. On LinkedIn https://www.linkedin.com/in/mosscorey/.