FAQ Frequently Asked Questions

Based on the "National Institute of Information and Communications Technology Act (NICT Act)" as revised in May 2018, the NICT is identifying Internet of Things (IoT) devices which are vulnerable to being maliciously used for cyberattacks by entering easily guessed passwords. Based on the NICT Act, NICT has created an implementation plan for this survey, and has obtained approval for the plan from the Minister for Internal Affairs and Communications.

NICT will check* whether IoT devices accept entry of IDs/passwords from outside via the Internet using global IP addresses (IPv4) allocated to Japan**. Then NICT will enter easily guessed IDs/passwords to these IoT devices, thereby identifying devices vulnerable to being maliciously used for cyberattacks.
*The IP addresses used by ISPs participating in NOTICE are the subject of the survey.
**Approximately 200 million exist.

Devices that can be controlled without using a password may also be identified as devices vulnerable to being maliciously used for cyberattacks.
The survey is carried out automatically using a computer program.
Approximately 600 combinations*** of IDs/passwords are described in the NICT's implementation plan.
***Surveyed in Approximately 100 combinations from the beginning of the survey. and approximately 600 combinations from October 2020.

[Examples of entered IDs/passwords]

The survey covers IoT devices that can be accessed via the Internet using global IP addresses (IPv4)—For example routers, web cameras, and sensors.

With certain exceptions, smartphones using a mobile network and PCs using a wireless LAN router, etc., are generally not covered by this survey.

For this survey, we are using the following IP addresses. It is possible to confirm whether the source IP address relates to these addresses.

NICT HP URL
https://www.nict.go.jp/info/topics/2021/09/14-1.html
(This page is in Japanese only)

A port scan is not a forbidden activity under the "Act on Prohibition of Unauthorized Computer Access".
The identification of IoT devices by entering easily guessed IDs/passwords, based on the NICT's implementation plan, is excluded from the scope of unauthorized access prohibited under the "Act on Prohibition of Unauthorized Computer Access" according to the NICT Act* as revised in May 2018.

*Stipulated according to Article 8 paragraph 7 of the supplementary provisions of the NICT Act.

This survey by NICT is to confirm whether any devices can be maliciously used for cyberattacks by entering easily guessed IDs/passwords.
Content of communications between the device and third parties are NOT gathered, used or leaked. Therefore, it does not violate the secrecy of communications.

In a port scan, we acquire banner information to identify the model name (such as messages notifying service types and versions, which are published via the device) and record it with the IP address, time stamp, and port number.
In identifying IoT devices by entering IDs/passwords, we acquire information to identify the model name and record it alongside the IP address, time stamp, port number, ID, and password.
The survey is carried out automatically using a computer program.

At NICT, we apply security measures of the same strictness as measures required for highly confidential information handled by the government. For example, the following measure are taken.
- When entering or leaving sections which handle information, multi factor authentication, including biometric authentication, is required.
- Infiltration-detection systems and firewalls are used to make it impossible to directly connect to servers handling information from the outside.
- Only a limited number of employees are granted access.
- Logs are monitored.

Leaking of information, etc., by NICT employees would constitute a violation of the duty of confidentiality under article 12 of the NICT Act and would be subject to punishment.
Additionally, if the survey was conducted beyond the scope determined in the implementation plan, this would be a violation of the Act on Prohibition of Unauthorized Computer Access and subject to punishment.

The Internet service provider (ISP) identifies users of the target devices based on information (IP address and time stamp) provided by NICT.

The ISP* alerts(notifies) their's users by e-mail or post, etc. If you are notified by anyone other than your contracted ISP, please be cautious as you may be a victim of fraud.
If you receive a suspicious notification, contact the NOTICE Support Center** or your contracted ISP.

*Check here for a list of ISPs participating in NOTICE. (This page is in Japanese only)

**The NOTICE Support Center does not receive any personal information (such as user names) from ISPs.

Refer to the configuration manual of the IoT device you are using that corresponds to the alert, and then change the settings to a complex password that will not be easily guessed by a third party, and update your firmware.
Additionally, the device for which you received the alert may already be infected by malware. Most malware infecting IoT devices, such as Mirai, can be removed by turning off the power. Therefore, please restart the IoT device with the above setting changes.