论文信息 - Remote field device fingerprinting using device-specific modbus information

Remote field device fingerprinting using device-specific modbus information

Device fingerprinting can provide useful information for vulnerability assessment and penetration testing, and can also facilitate the reconnaissance phase of a malicious campaign. This information becomes critical when the target devices are deployed in industrial environments, given the potential impact of cyber-attacks on critical infrastructure devices. In this paper, we propose a method for fingerprinting industrial devices that utilize the Modbus protocol. Our technique is based on the observation that implementations of the Modbus protocol differ between vendors. Although the Modbus protocol specification defines a device identification mechanism, several vendors do not implement this mechanism or use different methods for identifying their devices. We utilize these implementation differences, in conjunction with the lack of authentication in the Modbus protocol, to fingerprint remote field devices. We evaluate our proposed methodology on Modbus-enabled devices that are directly connected to the internet and indexed by the Shodan search engine. Our analysis focuses on devices from four vendors used across different industry verticals. We have accurately identified make and model information for 308 devices, improving the fingerprinting capabilities of Shodan by 28%.

Michail Maniatakos | Anastasis Keliris | M. Maniatakos | A. Keliris

[1] Gordon Fyodor Lyon,et al. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning , 2009 .

[2] Gabi Nakibly,et al. Mobile Device Identification via Sensor Fingerprinting , 2014, ArXiv.

[3] Peter Eckersley,et al. How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[4] Raheem A. Beyah,et al. Who's in Control of Your Control System? Device Fingerprinting for Cyber-Physical Systems , 2016, NDSS.

[5] J. Alex Halderman,et al. A Search Engine Backed by Internet-Wide Scanning , 2015, CCS.

[6] William H. Robinson,et al. Remotely inferring device manipulation of industrial control systems via network behavior , 2015, 2015 IEEE 40th Local Computer Networks Conference Workshops (LCN Workshops).

[7] Karen A. Scarfone,et al. Guide to Industrial Control Systems (ICS) Security , 2015 .

[8] T. Kohno,et al. Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[9] Dina Hadziosmanovic,et al. On the Feasibility of Device Fingerprinting in Industrial Control Systems , 2013, CRITIS.