Remote field device fingerprinting using device-specific modbus information

Device fingerprinting can provide useful information for vulnerability assessment and penetration testing, and can also facilitate the reconnaissance phase of a malicious campaign. This information becomes critical when the target devices are deployed in industrial environments, given the potential impact of cyber-attacks on critical infrastructure devices. In this paper, we propose a method for fingerprinting industrial devices that utilize the Modbus protocol. Our technique is based on the observation that implementations of the Modbus protocol differ between vendors. Although the Modbus protocol specification defines a device identification mechanism, several vendors do not implement this mechanism or use different methods for identifying their devices. We utilize these implementation differences, in conjunction with the lack of authentication in the Modbus protocol, to fingerprint remote field devices. We evaluate our proposed methodology on Modbus-enabled devices that are directly connected to the internet and indexed by the Shodan search engine. Our analysis focuses on devices from four vendors used across different industry verticals. We have accurately identified make and model information for 308 devices, improving the fingerprinting capabilities of Shodan by 28%.