An extensive operation called “National Operation Towards IoT Clean Environment” (NOTICE) has been conducted by the Ministry of Internal Affairs and Commerce of Japan (MIC) from February 20, 2019.
In this operation, NICT attempts to hack into IoT devices owned by general public with weak passwords and request the owners to change to an appropriate one through providers. NICT says it will cut the connection once its access is authorized into IoT devices with weak passwords.
This operation run by the government is authorized under a law called “Act to Amend Parts of the Telecommunications Business Act and the Act on the National Research and Development Institute of Information and Communications Technology Agency” (in force from November 2018), otherwise the operation itself would definitely be an unauthorized access under the Act on Prohibition of Unauthorized Computer Access.
At least, the problems of this operation are that:
(i) they has begun this in a very short notice without widely disseminated;
(ii) it’s likely to have little effectiveness; and
(iii) there will be a number of fraud around this operation.
As for (ii), will the providers able to find out who the owners of the IoT devices are? The costs to do this is solely on the providers. Even if they can send an email to the owner, will the owners move to change their passwords? Do they know how to do it? On the other hand, even though approximately 200 million global IPv4 address are subject to this operation, is it enough to prevent cyberattacks that might disrupt the operation of the Olympic Games in 2020 when a lot of tourists arounds the world will bring IoT devices with them.
As for (iii), bad guys might send emails to people under the name of the government and try to collect their personal information. It would be better not to reply or answer such emails despite their authenticity.
Hopefully, the MIC will conduct and disclose analysis of the effectiveness, if any, of this operation once it is over.