Paper Info
Title
Remote field device fingerprinting using device-specific modbus information
Abstract
Device fingerprinting can provide useful information for vulnerability assessment and penetration testing, and can also facilitate the reconnaissance phase of a malicious campaign. This information becomes critical when the target devices are deployed in industrial environments, given the potential impact of cyber-attacks on critical infrastructure devices. In this paper, we propose a method for fingerprinting industrial devices that utilize the Modbus protocol. Our technique is based on the observation that implementations of the Modbus protocol differ between vendors. Although the Modbus protocol specification defines a device identification mechanism, several vendors do not implement this mechanism or use different methods for identifying their devices. We utilize these implementation differences, in conjunction with the lack of authentication in the Modbus protocol, to fingerprint remote field devices. We evaluate our proposed methodology on Modbus-enabled devices that are directly connected to the internet and indexed by the Shodan search engine. Our analysis focuses on devices from four vendors used across different industry verticals. We have accurately identified make and model information for 308 devices, improving the fingerprinting capabilities of Shodan by 28%.
Year
DOI
Venue
2016
10.1109/MWSCAS.2016.7870006
2016 IEEE 59th International Midwest Symposium on Circuits and Systems (MWSCAS)
Keywords
Field
DocType
remote field device fingerprinting,device-specific modbus information,Modbus protocol,device identification mechanism
Authentication,Vulnerability assessment,Computer science,Critical infrastructure,Internet protocol suite,Implementation,Fingerprint,Modbus,Embedded system,The Internet
Conference
ISSN
ISBN
Citations 
1548-3746
978-1-5090-0917-6
0
PageRank 
References 
Authors
0.34
0
2
Name
Order
Citations
PageRank
Anastasis Keliris1224.56
M. Maniatakos235835.84