10-11-2022 | By Robin Mitchell
Recently, the UK Government announced that the National Cyber Security Centre will launch a massive program to identify all internet-connected devices in the UK to determine the risk of threat from cyber warfare. What challenges has the mass integration of internet-connected devices introduced, what will the NCSC do, and how would the results be interpreted?
When the internet first came about, very few devices were connected due to the relative complexity of internet protocols. Furthermore, most consumer electronic devices during the early days of the internet often lacked any kind of processor and were limited to basic analogue and digital switching circuits. Despite the fact that few machines were connected to the internet, cyber threats quickly became problematic, with numerous websites being infected with malware, lack of security allowing hackers to steal information and poorly designed operating systems providing hackers with multiple exploits. The rapid expansion of malware created a highly profitable industry through anti-virus software, and many hackers would often turn to the field of cybersecurity because of high salaries.
But as electronics continued to shrink in size and cost, microcontrollers quickly took the electronics consumer industry by storm. From kettles to washing machines, almost every electronic device has some kind of microcontroller, whether it is to check sensor readings, power user interfaces, or play melodies after an action has been completed. Eventually, chip manufacturers combined microcontrollers with Wi-Fi stacks which introduced engineers to single-chip Wi-Fi solutions, and this allowed for devices to be internet connected. This was when IoT devices started to become feasible, and it didn’t take long for them to spread throughout consumer markets.
However, microcontrollers with internet capabilities introduce numerous security challenges for several reasons. One of these reasons is that engineers will often overlook the importance of security and simply fail to introduce robust security practices such as random passwords, unique keys, and encrypted messaging. Another reason why IoT devices introduce security risks is that the physical hardware that implements TCP stacks and other internet protocols often lacks strong security hardware, and this can require engineers to implement features such as encryption and random number generation in software. Not only do software solutions risk exposure to hackers, but many microcontrollers simply lack the performance capabilities needed to implement strong security algorithms (such as TLS), which will make basic IoT devices highly vulnerable.
The end result of the mass integration of internet connectivity in consumer electronics is a country-wide network that is prone to attack.
Recognising the challenges internet-connected devices face, the UK Government has recently announced a new program that will identify just how vulnerable the UK is to widescale cyberattacks. The program, being conducted and launched by the National Cyber Security Centre, will be tasked with scanning every single internet-connected device in the UK to determine if each IP (and the associated metadata) is vulnerable to attack. The scan will not just target IoT devices but everything and anything that is connected to the internet, which includes data centres, servers, computers, mobiles, and vehicles.
Upon the NCSC making a connection request with a target device, a HTTPS request will be sent, and responses to this message will be logged and stored. From there, the NCSC will compare the response and software version to a database of known vulnerabilities, which will then be used to identify if the targeted IP is potentially vulnerable to attack. To prevent concerns from those with internet-connected devices, the NCSC stated that their scan will specifically come from one of two IP addresses, 18.104.22.168 and 22.214.171.124, and the tag will be scanner.scanning.service.ncsc.gov.uk. Furthermore, those who want to be excluded from the test can send an email to firstname.lastname@example.org stating the IP address not to be scanned.
While the inner workings of the NCSC are not exactly public, there is one possible defence mechanism that could be formulated from this scan. If an entire database of vulnerable IP addresses can be identified, then it is possible for these to be disabled by ISP via a kill switch controlled by the NCSC in the event of a mass cyberattack against the UK. This would prevent attackers from attacking vulnerable targets that could provide platforms to perform DDoS attacks, ransomware, and data theft.
Of course, many consumer devices have dynamic IP addresses, but ISPs not only keep logs of all IP addresses, but themselves have statically allocated IP addresses which allows the NCSC to keep tabs on insecure devices. Additionally, details such as MAC address are often stored, and these do not change, which further enables ISPs to monitor insecure devices.
It may seem worrying that the government is going to be scanning all internet-connected devices, but from a privacy perspective, if you’re worried about the government logging your IP, you should be more concerned that there are insecure devices in your network.