Farm equipment security at DEF CON 29

At DEF CON 29, a researcher explained why agricultural machinery should be considered critical infrastructure and demonstrated vulnerabilities in the main manufacturers’ equipment.

One of the most unusual presentations at the DEF CON 29 conference, held in early August, covered farm equipment vulnerabilities found by an Australian researcher who goes by the alias Sick Codes.

Vulnerabilities affecting the major manufacturers John Deere and Case IH were found not in tractors and combine harvesters, but in web services more familiar to researchers. Through them, it was possible to gain direct control over multi-ton and very expensive equipment, which poses a particular danger.

Modern agricultural machinery

For those unfamiliar with modern farming, the price of machinery seems astronomical. In his presentation, Sick Codes explained why tractors and combine harvesters are so expensive.  The best examples of modern agricultural machinery are computerized and automated to a fairly high degree. This is illustrated by the example of the John Deere 9000 Series forage harvester, which is advertised as follows:

The 24-liter V12 engine and six-figure price tag are not even the main thing — this particular commercial enumerates the technical capabilities of the machine: spatial orientation system, automatic row pickup and location sensors and synchronization with the truck that receives the cut grain. To these capabilities, Sick Codes adds remote control and the ability to automatically connect tech support directly to the harvester for troubleshooting. It’s here that he makes a bold claim: modern farming is entirely dependent on the Internet.

Farming machinery threat model

Unsurprisingly, modern machinery is packed full of modern technology, from conventional GPS and 3G/4G/LTE positioning and communication systems to quite exotic inertial navigation methods for determining location on the ground with centimeter-level accuracy. The threat model conceived by Sick Codes is based on IT concepts, and sounds rather threatening when applied to reality.

What does a DoS attack on a field look like? Let’s suppose we can change a couple of variables in the software for spraying fertilizer on the soil and increase the dose multiple times over. We could easily make the field unfit for agriculture for years, or even decades, to come.

Or how about a simpler theoretical variant: we take control of a combine harvester and use it to damage, say, a power line. Or we hack the harvester itself, disrupt the harvesting process causing huge losses for the farmer. On a national scale, such “experiments” could ultimately threaten food security. Networked farm equipment is, therefore, genuinely critical infrastructure.

And according to Sick Codes, the protection put in place by the suppliers of this very technology and infrastructure leaves a lot to be desired. Here’s what he and his like-minded team managed to find.

Username brute-forcing, password hardcoding and so on

Some of the John Deer infrastructure vulnerabilities presented at the conference are also described in an article on the researcher’s website. Sick Codes started out by signing up for a legitimate developer account on the company’s website (although, as he writes, he later forgot the name he used). Trying to remember, he encountered something unexpected: the API made username look-ups every time he typed a character. A quick check revealed that, yes, the usernames already in the system could be brute-forced.

Brute-forcing usernames

Brute-forcing usernames. Source.

The traditional limit on the number of requests from one IP address in such systems was not set. In just a couple of minutes, Sick Codes sent 1,000 queries, checking for usernames matching the names of the Fortune 1000 companies – he got 192 hits.

The next vulnerability was discovered in an internal service allowing customers to keep records of purchased equipment. As Sick Codes found out, anyone with access to this tool can view information about any tractor or combine harvester in the database. Access rights to such data are not checked. What’s more, the information is fairly confidential: vehicle owner, location, etc.

At DEF CON 29, Sick Codes revealed a little more than what he wrote on his website. For instance, he also managed to access the service for managing demo equipment, with full demonstration history and personal data of company employees. Lastly, his colleagues detected a vulnerability in the corporate service Pega Chat Access Group, in the shape of a hardcoded admin password. Through this, he was able to get the access keys to John Deere’s client account. True, Sick Codes didn’t say what exactly this key opens up, but it appears to be another set of internal services.

For a bit of balance, Sick Codes also presented some vulnerabilities affecting John Deere’s European competitor, Case IH. There, he was able to access an unsecured Java Melody server monitoring some of the manufacturer’s services, which gave up detailed information about users and showed the theoretical possibility of hijacking any account.

Contacting the companies

For the sake of fairness, we should note that Sick Codes draws no direct link between the above-mentioned threats and the vulnerabilities he detected. Perhaps in order not to endanger ordinary farmers. Or maybe he didn’t find any such link. But based on the trivial security flaws presented, he concludes that the safety culture in these companies is low, allowing us to assume that direct control over the combine harvesters is similarly protected. But this remains an assumption.

All of the vulnerabilities in John Deere services have since been closed, but with some provisos. The manufacturer did not have any special contact channel for reporting vulnerabilities. Sick Codes had a brief exchange with John Deere’s social media manager, after which he was asked to report the vulnerabilities through the bug-bounty program on the HackerOne service – however no such service was found. A rewards program for reporting vulnerabilities was eventually introduced, but participants are required to sign a non-disclosure agreement.