loading
Papers Papers/2022 Papers Papers/2022

Research.Publish.Connect.

Paper

Paper Unlock

Authors: Nikolaos Tsalis ; George Stergiopoulos ; Evangelos Bitsikas ; Dimitris Gritzalis and Theodore Apostolopoulos

Affiliation: Information Security & Critical Infrastructure Protection (INFOSEC) Laboratory, Dept. of Informatics, Athens University of Economics and Business and Greece

Keyword(s): Modbus, Protocol, Side, Channel, Attack, Decision, Tree, Sequence, Unpadded, Cryptography, Scada, TCP.

Related Ontology Subjects/Areas/Topics: Applied Cryptography ; Cryptographic Techniques and Key Management ; Data Engineering ; Databases and Data Security ; Information and Systems Security ; Network Security ; Security Engineering ; Security in Distributed Systems ; Security in Information Systems ; Wireless Network Security

Abstract: With HMI systems becoming increasingly connected with the internet, more and more critical infrastructures are starting to query PLC/RTU units through the Web through MODBUS ports. Commands sent from such interfaces are inevitably exposed to potential attacks even if encryption measures are in place. During the last decade, side channels have been widely exploited, focusing mostly on information disclosure. In this paper, we show that despite encryption, targeted side channel attacks on encrypted packets may lead to information disclosure of functionality over encrypted TCP/IP running MODBUS RTU protocol. Specifically, we found that any web interface that implements unpadded encryption with specific block cipher modes (e.g. CFB, GCM, OFB and CTR modes) or most stream ciphers (e.g. RC4) to send MODBUS functions over TCP/IP is subject to differential packet size attacks. A major cause for this attack is the very small number of potential MODBUS commands and differences in packet sizes, which leads to distinctions in traffic. To support the importance of these findings, we conducted research on Shodan looking for relevant devices with open MODBUS ports over TCP/IP that utilize encrypted web traffic. The result was that a significant amount of web interfaces communicate with MODBUS ports and many use unpadded ciphers and SSL with AES-GCM or RC4. We also implemented a PoC on a simulated architecture to validate our attack models. (More)

CC BY-NC-ND 4.0

Sign In Guest: Register as new SciTePress user now for free.

Sign In SciTePress user: please login.

PDF ImageMy Papers

You are not signed in, therefore limits apply to your IP address 3.136.26.156

In the current month:
Recent papers: 100 available of 100 total
2+ years older papers: 200 available of 200 total

Paper citation in several formats:
Tsalis, N.; Stergiopoulos, G.; Bitsikas, E.; Gritzalis, D. and Apostolopoulos, T. (2018). Side Channel Attacks over Encrypted TCP/IP Modbus Reveal Functionality Leaks. In Proceedings of the 15th International Joint Conference on e-Business and Telecommunications - SECRYPT; ISBN 978-989-758-319-3; ISSN 2184-3236, SciTePress, pages 53-63. DOI: 10.5220/0006832702190229

@conference{secrypt18,
author={Nikolaos Tsalis. and George Stergiopoulos. and Evangelos Bitsikas. and Dimitris Gritzalis. and Theodore Apostolopoulos.},
title={Side Channel Attacks over Encrypted TCP/IP Modbus Reveal Functionality Leaks},
booktitle={Proceedings of the 15th International Joint Conference on e-Business and Telecommunications - SECRYPT},
year={2018},
pages={53-63},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006832702190229},
isbn={978-989-758-319-3},
issn={2184-3236},
}

TY - CONF

JO - Proceedings of the 15th International Joint Conference on e-Business and Telecommunications - SECRYPT
TI - Side Channel Attacks over Encrypted TCP/IP Modbus Reveal Functionality Leaks
SN - 978-989-758-319-3
IS - 2184-3236
AU - Tsalis, N.
AU - Stergiopoulos, G.
AU - Bitsikas, E.
AU - Gritzalis, D.
AU - Apostolopoulos, T.
PY - 2018
SP - 53
EP - 63
DO - 10.5220/0006832702190229
PB - SciTePress