A port scan is the cyber equivalent to using a sniffer dog. It involves sending out carefully-prepared packets of data to a computer or network in order to detect any open ports and possible vulnerabilities.
The technique is a very useful part of the pen tester’s toolkit; especially if you want to test the security status and likely intent of devices connected to a network. However, it comes with one big problem: most regulators across the globe (including those in the U.S., U.K., Europe and India) take a dim view of accessing third party devices without specific consent - even if it’s only for ‘cyber hygiene’ reasons.
So is port scanning legal? The short and rather unhelpful answer is “it’s complicated”, with a lot riding on who you’re scanning and why. Broadly-drafted laws give rise to the risk of legitimate cyber security professionals getting caught in the same net as threat actors. Here’s a closer look at the technology and the legal issues surrounding it.
Ports are the docking points for the flow of information between devices on a network. Each port has a specific function. To ensure global consistency, these ports are numbered according to a universal system governed by the IANA (Internet Assigned Numbers Authority).
In total, there are 65,536 ports. Each port is managed by one of two protocols: the Transmission Control Protocol (TCP), which defines how to establish and maintain a network conversation between applications, and the User Datagram Protocol (UDP), which is mostly used for establishing low-latency connections.
The lower the number of the port, the more likely you are to discover it on a port scan. The port numbers in the range from 0 to 1023 are referred to as the well-known ports. Examples include Port 443 (TCP) for HTTPS, Port 53 (UDP), which translates domain names into machine-readable IP addresses, and Port 80 (TCP) for HTTP.
Port scanning: a quick overview
As an infosec pro or network administrator, you are almost certainly going to be using a dedicated tool for your port scanning. Nmap, an open source app, is the most popular. Others that you might come across include Unicornscan and Zenmap.
Port scanning starts with a process of discovery: i.e. picking up all the active hosts on a network and mapping these hosts to their IP addresses.
Next comes the actual port scanning. A basic sweep scan enables you to discover which ports are open and active on devices across a network. Depending on the scanning service you’re using, you should also be able to pick up more detailed information, such as the operating system name and version and the services that are running on host machines.
Threat actors and port scanning
You see this a lot with cyber security: if a tool or technique is used by infosec teams, you can be pretty sure that it’s useful to threat actors, too.
Within businesses, cyber security professionals routinely use port scanning to test network security and for checking issues such as the effectiveness of the system’s firewall.
But using their own scanning tools, hackers can learn a lot by sending connection requests to a target computer, recording which ports respond, and how. They can determine which applications and services the target device is running, check for vulnerabilities (e.g. a failure to patch a specific bug), and use this intel to plan an attack.
So is port scanning legal?
First off, let’s look at a couple of common uses of port scanning for cyber security professionals: 1) penetration testing and 2) compromised host detection.
- Port scanning is carried out at an early stage in a penetration test. It allows you to identify and check the status of all network entry points available on a target system.
- Penetration testers include in-house staff whose job it is to identify and resolve security vulnerabilities across their employer’s network. It also includes security consultants hired for penetration testing by external clients.
- It also includes individuals who port scan networks for research purposes and to develop their own knowledge and penetration testing skills.
Compromised host detection
- Your company invites customers to log into your customer service portal. When visitors arrive at your website, you test several known ports on those visitors’ devices; specifically, those ports that are sometimes targeted by hackers using remotely controlled apps or by trojans.
- This can give you a risk score from which you can decide whether to let the user log into your app or website.
- This approach can help you bar not just hackers from your network, but also innocent users, whose devices may have been compromised.
Now let’s look at how these activities can fall foul of the law...
Under the Computer Fraud and Abuse Act (1986), it’s a criminal offense to gain “unauthorized access” to a computer.
While the intent of the law is to prosecute malicious hackers, its ambiguity has long posed a potential problem for security experts. On a strict reading of the Act, If you use port scanning on a network without the owner’s consent, then technically, you are in breach of the law.
However, a June 2021 Supreme Court decision, Van Buren, might be good news for security researchers. In that case, the court held that mere violation of access restrictions is not necessarily an offense. Rather, the prohibition is limited to someone who “accesses a computer with authorization but then obtains information located in particular areas of the computer - such as files, folders or databases that are off limits to him”.
This decision has only just been handed down, so it remains to be seen how it is interpreted. However, it may establish the principle that simply pinging or port scanning a network and nothing else, is not actionable.
The U.K, India and lots of other jurisdictions have similarly broadly-drafted laws in place. For example, the U.K.’s Computer Misuse Act (1990) states that a person is guilty of an offense if they are responsible for any unauthorized access to a computer.
So can you actually get into trouble for this type of ‘white hat’ portal scanning? In most jurisdictions, prosecutors have guidelines in place setting out the circumstances where they will and will not bring action (common sense rules). If there’s no malicious intent and no actual damage, prosecution is generally unlikely.
You cannot rule out the possibility that your white hat port scanning activities will not harm a third party. Let’s say, for instance, that your unauthorized scanning attempts are picked up by a orginisation’s perimeter defences. It’s theoretically possible that this could slow down or temporarily disable a critical network function. If the organisation suffers loss as a result (and if the relevant country’s laws allow for it), there’s the risk of a civil claim for damages to cover this loss.
- Several years ago, US Department of Justice Special Counsel Leonard Bailey gave advice at the Black Hat conference on how to stay out of trouble. The advice probably holds up well in lots of jurisdictions: “If you’re pinging a network, that’s not actionable. If you’re port-scanning, again, not a problem unless you’re doing it at a denial-of-service level. Beyond that, you may get questions.”
- Stay away from port scanning critical infrastructure and government sites.
- If you’ve been hired to port scan and pen test, stay strictly within the limits of the agreement.
- Your company might work with external partners whose systems are very closely linked to yours. (Shipping and other supply chain actors are prime examples). To keep your own network safe, it’s a very good idea to port test these third-party devices. However, best practice dictates that you get written authorization from them to do this.
- For port scanning visitors to your website for the purposes of compromised host detection, this might be technically illegal in your country. The chances of prosecution might be slim, but it still remains a theoretical possibility.