Side Channel Attacks over Encrypted TCP/IP Modbus Reveal Functionality Leaks

Nikolaos Tsalis; George Stergiopoulos; Evangelos Bitsikas; Dimitris Gritzalis; Theodore Apostolopoulos

doi:10.5220/0006832702190229

Side Channel Attacks over Encrypted TCP/IP Modbus Reveal Functionality Leaks

Nikolaos Tsalis, George Stergiopoulos, Evangelos Bitsikas, Dimitris Gritzalis, Theodore Apostolopoulos

2018

Abstract

With HMI systems becoming increasingly connected with the internet, more and more critical infrastructures are starting to query PLC/RTU units through the Web through MODBUS ports. Commands sent from such interfaces are inevitably exposed to potential attacks even if encryption measures are in place. During the last decade, side channels have been widely exploited, focusing mostly on information disclosure. In this paper, we show that despite encryption, targeted side channel attacks on encrypted packets may lead to information disclosure of functionality over encrypted TCP/IP running MODBUS RTU protocol. Specifically, we found that any web interface that implements unpadded encryption with specific block cipher modes (e.g. CFB, GCM, OFB and CTR modes) or most stream ciphers (e.g. RC4) to send MODBUS functions over TCP/IP is subject to differential packet size attacks. A major cause for this attack is the very small number of potential MODBUS commands and differences in packet sizes, which leads to distinctions in traffic. To support the importance of these findings, we conducted research on Shodan looking for relevant devices with open MODBUS ports over TCP/IP that utilize encrypted web traffic. The result was that a significant amount of web interfaces communicate with MODBUS ports and many use unpadded ciphers and SSL with AES-GCM or RC4. We also implemented a PoC on a simulated architecture to validate our attack models.

Download

Paper Citation

in Harvard Style

Tsalis N., Stergiopoulos G., Bitsikas E., Gritzalis D. and Apostolopoulos T. (2018). Side Channel Attacks over Encrypted TCP/IP Modbus Reveal Functionality Leaks.In Proceedings of the 15th International Joint Conference on e-Business and Telecommunications - Volume 1: SECRYPT, ISBN 978-989-758-319-3, pages 53-63. DOI: 10.5220/0006832700530063

in Bibtex Style

@conference{secrypt18,
author={Nikolaos Tsalis and George Stergiopoulos and Evangelos Bitsikas and Dimitris Gritzalis and Theodore Apostolopoulos},
title={Side Channel Attacks over Encrypted TCP/IP Modbus Reveal Functionality Leaks},
booktitle={Proceedings of the 15th International Joint Conference on e-Business and Telecommunications - Volume 1: SECRYPT,},
year={2018},
pages={53-63},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006832700530063},
isbn={978-989-758-319-3},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 15th International Joint Conference on e-Business and Telecommunications - Volume 1: SECRYPT,
TI - Side Channel Attacks over Encrypted TCP/IP Modbus Reveal Functionality Leaks
SN - 978-989-758-319-3
AU - Tsalis N.
AU - Stergiopoulos G.
AU - Bitsikas E.
AU - Gritzalis D.
AU - Apostolopoulos T.
PY - 2018
SP - 53
EP - 63
DO - 10.5220/0006832700530063