FAQ | NOTICE

2What kind of password is easy for malicious actors to guess?

Initial password uniformly set
The password initially set to the same model of an IoT device is the most dangerous password because it can be easily obtained by mallicious actors.
Shared password
Mallicious actors first try general passwords that many people often use, such as “admin” and “password.”
In addition, keeping in mind not to use the same password for more than one service is also important in terms of security.
General word or phrase
General words and phrases you can find in dictionaries may be tried by mallicious actors for a technique called a dictionary attack.
Successive numbers or patterns on keyboard
For example, successive numbers like “123456” and combinations of side-by-side characters on the keyboard like “qwerty” are easy to guess.

3What should I do to update the firmware?

Updating the firmware means upgrading the software of your IoT device to the latest version.
The general procedure is described below. Note, however, that the procedure may differ depending on the type and/or manufacturer of the IoT device you are using. For concrete information on the IoT device, be sure to refer to the support page of the manufacturer or the manual of the device.

How to update firmware

4I forgot when I bought my router. Is there a way to check it?

The date of manufacture and manufacturer’s serial number may be shown on the router itself. Take a look at the rear or bottom side of the router.
Documents supplied with the router at the time of purchase, such as the receipt and written guarantee, may show the purchase date.
If the router is provided by an internet service provider (ISP), check the account information of the ISP. The online account and bill may show the date when the router was supplied or when the contract was signed.

If you still cannot find when you bought the router, refer to the website of the manufacturer or contact the manufacturer’s customer support center.

5How can I check the internet service provider (ISP) I am using?

Check the bill or contract.
Check the bill or contract you received from the ISP. These documents often show the name and contact address of the ISP.
Check the label or setting page of the router.
If the router you are using at home is supplied by an ISP, information on the ISP may be shown on the rear or bottom side of the router. You may also find information on the ISP on the setting page of the router.

6How does NOTICE send the security advisory?

You will receive an email or postal mail sent by the internet service provider^*1 with whom you concluded a contract. When you receive a security advisory, it is recommended that you swiftly implement security measures.
If you receive a security advisory from an entity other than the ISP that you have a contract with and calls itself NOTICE, be careful since it may be a fraud. If you have received a suspicious security advisory, contact the NOTICE support center^*2 or your ISP.

*1 : For the list of internet service providers participating in NOTICE, refer to the “Participating organizations” page.

*2 : The NOTICE support center is not provided by the ISP with personal information about the user, such as the name, who should be alerted.

7If I receive a security advisory from NOTICE, what is the reason for it?

The NOTICE Project notifies an internet service provider (ISP) when it detects an IoT device, such as a router or a network camera, that has a high risk of coming under cyberattack or being abused. The ISP then sends you a security advisory.

Specifically, NOTICE may notify the ISP, and you may receive a security advisory if any of the following conditions are met :

If you are using an IoT device that can be accessed over the internet from outside by using a domestic Japanese global IP address^*1 (IPv4)
In addition, if that device has a risk of being compromised easily from outside as follows :
- An ID and/or password^*2 that is easy to guess is used.
- A device is used that can be controlled from the outside without a password.
- The firmware is not updated properly.

*1 : IP address connecting an ISP participating in NOTICE

*2 : The ID or password to be input is selected from about 600 types as described by the implementation plan of the National Institute of Information and Communications Technology (NICT) (about 100 types were available at first, but a survey has been implemented with about 600 types since October 2020. For details, refer to information materials released by the Ministry of Internal Affairs and Communication.)

8How are the users of vulnerable IoT devices identified?

The user of a vulnerable IoT device is identified based on the information that the internet service provider (ISP) receives from the National Institute of Information and Communications Technology (NICT) (such as the IP address and time stamp of the IoT device over which the user will be alerted).

9What is the objective of NOTICE?

In recent years, cases where an IoT device, such as a router or network camera, is used as a steppingstone for cyberattacks have been taking place that affect communications services. IoT devices can never be used as steppingstones as long as they are properly managed. In reality, however, there are many IoT devices in the world that are not properly managed.

NOTICE is a project aimed at preventing IoT devices from getting hacked and botnet activities from taking place by enhancing the security measures of the IoT devices, such as routers and network cameras, which are connected to the internet.

The Ministry of Internal Affairs and Communication, National Institute of Information and Communications Technology (NICT), and Internet Service Providers are promoting in collaboration a survey of IoT devices that can be abused for cyberattacks or have such a risk and security measures to protect IoT devices that have risks.

10What devices are observed?

They are IoT devices that can be accessed from the internet by using a global IP address (IPv4), specifically, routers, network cameras, and remote-monitoring systems.

11Are personal computers and smartphones also observed?

Generally, smartphones that use a portable telephone line and personal computers that are connected to wireless LAN routers are not observed, but there are some exceptions.

12Doesn’t such an observation constitute unauthorized access?

The action by the National Institute of Information and Communication Technologies (NICT) of inputting from outside an ID and a password that can be easily guessed and identifying IoT devices that can be abused for a cyberattack is regarded under the NICT Law as specific access, which is excluded from unauthorized accesses prohibited by the Unauthorized Computer Access Law.

In addition, an observation other than specific accesses, such as port scanning, does not constitute unauthorized access as prohibited by the Unauthorized Computer Access Law.

13Does this observation infringe the confidentiality of communication?

The observation conducted by the National Institute of Information and Communication Technologies (NICT) is to confirm, by inputting from the outside a password that can be easily guessed, whether an IoT device has a risk of being abused for a cyberattack. This observation is not intended to obtain, steal, or leak information on communication between that IoT device and any third party and, therefore, does not constitute infringement of the confidentiality of communication.

14How will information that was recorded be preserved or handled?

The National Institute of Information and Communication Technologies (NICT) takes strict safety management measures similar to those required by the government’s confidentiality 3 information. For example, in a zone where information is handled, the server that controls people’s entry into and exit from a room by using multiple factors, including biometric authentication, implements such measures as blocking connections from the outside by using an intrusion detection system and firewall, limiting the personnel who can gain access, introducing an access restriction function, and observing the log of that function.

15Aren’t there concerns that information will not be managed according to rules?

If an employee of the National Institute of Information and Communication Technologies (NICT) leaked information, it would be a violation of the confidentiality obligation stipulated by Article 12 of the NICT Law, and the employee would be subject to punishment. If an observation were conducted that exceeds the scope defined by the implementation plan, it would be a violation of the Unauthorized Computer Access Law, and the violator would be subject to punishment.

16How is a specific access implemented?

An IoT device that can be accessed from the outside over the internet by specifying a Japan’s domestic global IP address^*1 (IPv4) is checked to see if it is an IoT device to which an ID or password can be input^*2. By inputting an ID or password that can be easily guessed to such a device, whether the IoT device has a risk of coming under a cyberattack or being abused is determined.

This observation will be automatically carried out by using a program. IDs and passwords that will be input will be selected from about 600 IDs and passwords prescribed by the implementation plan of the National Institute of Information and Communication Technologies (NICT).

*1 : IP addresses the internet service providers participating in NOTICE

*2 : This act is called port scanning.

17Is there any way to confirm whether an IoT device was accessed for this observation?

For this observation, the following IP addresses are used. It can be confirmed whether a device was accessed for this observation by checking whether the IP address of the transmission source corresponds to one of these addresses.

The IP addresses to be used for observation are also made public on the website of the National Institute of Information and Communication Technologies (NICT).
（https://www.nict.go.jp/info/topics/2021/09/14-1.html）

IP addresses used for the observation :

39.110.250.232 to 239
118.238.5.24 to 31
150.249.227.160 to 175
153.231.215.8 to 15
153.231.216.176 to 183
153.231.216.184 to 191
153.231.216.216 to 223
153.231.226.160 to 167
153.231.226.168 to 175
153.231.227.192 to 199
153.231.227.208 to 215
153.231.227.216 to 223
153.231.227.224 to 231
223.135.152.48 to 63

(Total of 128 addresses)

18What information will be obtained and recorded as a result of the observation?

Port scanning is to obtain banner information (message that a device itself discloses to show the type or version of a service) to identify a model and record it along with the IP address, time stamp, and port number.

To input an ID and password to identify an IoT device that can be abused for a cyberattack, information to identify the model is obtained and recorded along with the IP address, time stamp, port number, ID, and password.

This observation is automatically carried out by using a program.

19What is a DDoS attack?

A DDoS (Distributed Denial of Service) attack is launched by a malicious individual (malicious actor) who directs many devices toward simultaneously accessing a target website. Consequently, a heavy load is imposed on the server and network, temporarily disordering or disturbing their services.

Since the DDoS attack is of the distributed type, it is difficult to identify a single source of attack and implement countermeasures. Businesses and website operators need to implement measures to protect their systems against DDoS attacks by implementing security measures or using an exclusive service.

20What is a router?

A router is an important IoT device that connects different networks. By using IP addresses that indicate locations on the internet, it has the role of transferring data appropriately.

When using a router, it is important to update the firmware appropriately and implement the latest security measures. In addition, setting a strong password that is difficult to guess is also important. In this way, the network can be protected from unauthorized accesses, and the safety of the internet connection can be enhanced.