TY - GEN
T1 - Remote field device fingerprinting using device-specific modbus information
AU - Keliris, Anastasis
AU - Maniatakos, Michail
N1 - Publisher Copyright:
© 2016 IEEE.
PY - 2016/7/2
Y1 - 2016/7/2
N2 - Device fingerprinting can provide useful information for vulnerability assessment and penetration testing, and can also facilitate the reconnaissance phase of a malicious campaign. This information becomes critical when the target devices are deployed in industrial environments, given the potential impact of cyber-Attacks on critical infrastructure devices. In this paper, we propose a method for fingerprinting industrial devices that utilize the Modbus protocol. Our technique is based on the observation that implementations of the Modbus protocol differ between vendors. Although the Modbus protocol specification defines a device identification mechanism, several vendors do not implement this mechanism or use different methods for identifying their devices. We utilize these implementation differences, in conjunction with the lack of authentication in the Modbus protocol, to fingerprint remote field devices. We evaluate our proposed methodology on Modbus-enabled devices that are directly connected to the internet and indexed by the Shodan search engine. Our analysis focuses on devices from four vendors used across different industry verticals. We have accurately identified make and model information for 308 devices, improving the fingerprinting capabilities of Shodan by 28%.
AB - Device fingerprinting can provide useful information for vulnerability assessment and penetration testing, and can also facilitate the reconnaissance phase of a malicious campaign. This information becomes critical when the target devices are deployed in industrial environments, given the potential impact of cyber-Attacks on critical infrastructure devices. In this paper, we propose a method for fingerprinting industrial devices that utilize the Modbus protocol. Our technique is based on the observation that implementations of the Modbus protocol differ between vendors. Although the Modbus protocol specification defines a device identification mechanism, several vendors do not implement this mechanism or use different methods for identifying their devices. We utilize these implementation differences, in conjunction with the lack of authentication in the Modbus protocol, to fingerprint remote field devices. We evaluate our proposed methodology on Modbus-enabled devices that are directly connected to the internet and indexed by the Shodan search engine. Our analysis focuses on devices from four vendors used across different industry verticals. We have accurately identified make and model information for 308 devices, improving the fingerprinting capabilities of Shodan by 28%.
UR - http://www.scopus.com/inward/record.url?scp=85015889459&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85015889459&partnerID=8YFLogxK
U2 - 10.1109/MWSCAS.2016.7870006
DO - 10.1109/MWSCAS.2016.7870006
M3 - Conference contribution
AN - SCOPUS:85015889459
T3 - Midwest Symposium on Circuits and Systems
BT - 2016 IEEE 59th International Midwest Symposium on Circuits and Systems, MWSCAS 2016
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 59th IEEE International Midwest Symposium on Circuits and Systems, MWSCAS 2016
Y2 - 16 October 2016 through 19 October 2016
ER -