Japanese Mansion Security
When living in a rented Japanese “mansion” (called an “apartment” in American English or a “flat” in British English), there are many occasions when somebody needs to enter to perform safety or maintenance tasks. Perhaps the most common task is checking that smoke detectors are working, which is generally done once per year, but I have often been surprised by random other tasks that have popped up. Is letting these strangers inside of your home a security risk?
When living in US apartments, I do not recall a single time when a stranger needed to enter an apartment for such a task, but perhaps that is because I never stayed in an apartment for longer than two semesters (less than a year) at a time. I was surprised by the practice in Japan and have always been concerned about the possible security risks. The most probable security risk is casing. Somebody posing as a maintenance worker could check out all residences in a building to determine which ones are good targets for robbery. Note that even legitimate workers could pass along such information to nefarious contacts.
Lately, I have been catching up on past episodes of the Darknet Diaries podcast, and there are many episodes about physical penetration testing. With such stories fresh in my mind, the latest request to enter my “mansion” has raised red flags.
Somebody came to the door of our “mansion” one evening last week. The timing was unfortunate because my baby was at the peak of her crying because she was tired. While I comforted the baby, my wife talked to the guy at the door via the intercom and then talked to him in person. He said that he is with J:COM, a communications company that manages television connectivity for the building, and he wanted to schedule a time to enter our residence for maintenance.
I was unable to hear well over the crying baby, but his explanation about what he wants to do was vague. If he is just casing places, he could just “check” all coaxial sockets and report that there are no problems. Since there is a socket in each room, he would be able to case every room and see who has home offices with computers, who has expensive televisions, etc.
Prior notice was apparently provided via a sheet of paper in our mailbox. This is zero guarantee of legitimacy. Anybody can fake such a notice, and we indeed often see deliberately misleading/lying notices that attempt to trick people into changing internet service providers. Sometimes notices are also posted in the “mansion” elevator. Posted notices have a bit more authenticity because the building manager would spot fakes and hopefully be alerted that something is going on, but an attacker could post fake notices and remove them only when the manager comes around.
My wife and I decided to confirm the legitimacy of this maintenance. We communicate with the “mansion” management company via a smartphone app, where we asked about the maintenance. The response indicates that the management company does not know of any such maintenance and suggested that we contact J:COM. It sounds like it is normal for such companies to do such maintenance without notifying the building management.
When I mentioned this to a friend over lunch yesterday, he suggested that we simply ask to not participate in the maintenance. We do not own/use televisions after all. My wife and I are going to try that route. If the “maintenance man” claims that the maintenance is required, we will contact J:COM through official channels to confirm that the maintenance is legitimate before proceeding.
One must consider the risk incurred by not allowing maintenance as well, of course. If somebody is casing all residences, they may assume that the one that is wary of security contains valuables. I wish that the management company would coordinate all such maintenance, using a trusted communication channel to notify residents. This would likely not be effective against skilled attackers, but it would at least raise the bar.