Fun with Modbus function code 90.

Forget 0 days, long live "forever days" ! In this talk, we'll take a look at how Schneider PLCs rely on an undocumented Modbus function code for administrative actions (start/stop, download and upload ladder logic, ...). We'll also demo the dedicated Metasploit program, and discuss the security level on newer Schneider PLCs. We'll conclude with defensive measures you can take to prevent attacks using this protocol.