{"id":18963,"date":"2021-10-11T22:28:05","date_gmt":"2021-10-11T18:28:05","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/hacking-agriculture-defcon29\/18963\/"},"modified":"2021-10-11T22:28:17","modified_gmt":"2021-10-11T18:28:17","slug":"hacking-agriculture-defcon29","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/hacking-agriculture-defcon29\/18963\/","title":{"rendered":"Farm equipment security at DEF CON 29"},"content":{"rendered":"<p>One of the most unusual presentations at the DEF CON 29 conference, held in early August, covered farm equipment vulnerabilities <a href=\"https:\/\/www.youtube.com\/watch?v=zpouLO-GXLo\" target=\"_blank\" rel=\"nofollow noopener\">found<\/a> by an Australian researcher who goes by the alias <a href=\"https:\/\/twitter.com\/sickcodes\" target=\"_blank\" rel=\"nofollow noopener\">Sick Codes<\/a>.<\/p>\n<p>Vulnerabilities affecting the major manufacturers John Deere and Case IH were found not in tractors and combine harvesters, but in web services more familiar to researchers. Through them, it was possible to gain direct control over multi-ton and very expensive equipment, which poses a particular danger.<\/p>\n<h2>Modern agricultural machinery<\/h2>\n<p>For those unfamiliar with modern farming, the price of machinery seems astronomical. In his presentation, Sick Codes explained why tractors and combine harvesters are so expensive.\u00a0 The best examples of modern agricultural machinery are computerized and automated to a fairly high degree. This is illustrated by the example of the John Deere 9000 Series forage harvester, which is advertised as follows:<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/pc8NAKoXoRg?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<p>The 24-liter V12 engine and six-figure price tag are not even the main thing \u2014 this particular commercial enumerates the technical capabilities of the machine: spatial orientation system, automatic row pickup and location sensors and synchronization with the truck that receives the cut grain. To these capabilities, Sick Codes adds remote control and the ability to automatically connect tech support directly to the harvester for troubleshooting. It\u2019s here that he makes a bold claim: modern farming is entirely dependent on the Internet.<\/p>\n<h2>Farming machinery threat model<\/h2>\n<p>Unsurprisingly, modern machinery is packed full of modern technology, from conventional GPS and 3G\/4G\/LTE positioning and communication systems to quite exotic <a href=\"https:\/\/en.wikipedia.org\/wiki\/Real-time_kinematic_positioning\" target=\"_blank\" rel=\"nofollow noopener\">inertial navigation methods<\/a> for determining location on the ground with centimeter-level accuracy. The threat model conceived by Sick Codes is based on IT concepts, and sounds rather threatening when applied to reality.<\/p>\n<p>What does a DoS attack on a field look like? Let\u2019s suppose we can change a couple of variables in the software for spraying fertilizer on the soil and increase the dose multiple times over. We could easily make the field unfit for agriculture for years, or even decades, to come.<\/p>\n<p>Or how about a simpler theoretical variant: we take control of a combine harvester and use it to damage, say, a power line. Or we hack the harvester itself, disrupt the harvesting process causing huge losses for the farmer. On a national scale, such \u201cexperiments\u201d could ultimately threaten food security. Networked farm equipment is, therefore, genuinely critical infrastructure.<\/p>\n<p>And according to Sick Codes, the protection put in place by the suppliers of this very technology and infrastructure leaves a lot to be desired. Here\u2019s what he and his like-minded team managed to find.<\/p>\n<h2>Username brute-forcing, password hardcoding and so on<\/h2>\n<p>Some of the John Deer infrastructure vulnerabilities presented at the conference are also described in an <a href=\"https:\/\/sick.codes\/leaky-john-deere-apis-serious-food-supply-chain-vulnerabilities-discovered-by-sick-codes-kevin-kenney-willie-cade\/\" target=\"_blank\" rel=\"nofollow noopener\"> article on the researcher\u2019s website<\/a>. Sick Codes started out by signing up for a legitimate developer account on the company\u2019s website (although, as he writes, he later forgot the name he used). Trying to remember, he encountered something unexpected: the API made username look-ups every time he typed a character. A quick check revealed that, yes, the usernames already in the system could be brute-forced.<\/p>\n<div id=\"attachment_42403\" style=\"width: 1150px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2021\/10\/11222813\/hacking-agriculure-defcon29-logins.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-42403\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2021\/10\/11222813\/hacking-agriculure-defcon29-logins.png\" alt=\"Brute-forcing usernames\" width=\"1140\" height=\"570\" class=\"size-full wp-image-18964\"><\/a><p id=\"caption-attachment-42403\" class=\"wp-caption-text\">Brute-forcing usernames. <a href=\"https:\/\/www.youtube.com\/watch?v=zpouLO-GXLo\" target=\"_blank\" rel=\"nofollow noopener\">Source.<\/a><\/p><\/div>\n<p>The traditional limit on the number of requests from one IP address in such systems was not set. In just a couple of minutes, Sick Codes sent 1,000 queries, checking for usernames matching the names of the Fortune 1000 companies \u2013 he got 192 hits.<\/p>\n<p>The next vulnerability was discovered in an internal service allowing customers to keep records of purchased equipment. As Sick Codes found out, anyone with access to this tool can view information about any tractor or combine harvester in the database. Access rights to such data are not checked. What\u2019s more, the information is fairly confidential: vehicle owner, location, etc.<\/p>\n<p>At DEF CON 29, Sick Codes revealed a little more than what he wrote on his website. For instance, he also managed to access the service for managing demo equipment, with full demonstration history and personal data of company employees. Lastly, his colleagues detected a <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2021-27653\" target=\"_blank\" rel=\"nofollow noopener\">vulnerability<\/a> in the corporate service Pega Chat Access Group, in the shape of a hardcoded admin password. Through this, he was able to get the access keys to John Deere\u2019s client account. True, Sick Codes didn\u2019t say what exactly this key opens up, but it appears to be another set of internal services.<\/p>\n<p>For a bit of balance, Sick Codes also presented some vulnerabilities affecting John Deere\u2019s European competitor, Case IH. There, he was able to access an unsecured Java Melody server monitoring some of the manufacturer\u2019s services, which gave up detailed information about users and showed the theoretical possibility of hijacking any account.<\/p>\n<h2>Contacting the companies<\/h2>\n<p>For the sake of fairness, we should note that Sick Codes draws no direct link between the above-mentioned threats and the vulnerabilities he detected. Perhaps in order not to endanger ordinary farmers. Or maybe he didn\u2019t find any such link. But based on the trivial security flaws presented, he concludes that the safety culture in these companies is low, allowing us to assume that direct control over the combine harvesters is similarly protected. But this remains an assumption.<\/p>\n<p>All of the vulnerabilities in John Deere services have since been closed, but with some provisos. The manufacturer did not have any special contact channel for reporting vulnerabilities. Sick Codes had a brief exchange with John Deere\u2019s social media manager, after which he was asked to report the vulnerabilities through the bug-bounty program on the HackerOne service \u2013 however no such service was found. A rewards program for reporting vulnerabilities was eventually introduced, but participants are required to sign a non-disclosure agreement.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"encyclopedia\">\n","protected":false},"excerpt":{"rendered":"<p>At DEF CON 29, a researcher explained why agricultural machinery should be considered critical infrastructure and demonstrated vulnerabilities in the main manufacturers\u2019 equipment.<\/p>\n","protected":false},"author":665,"featured_media":18966,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916],"tags":[724,741,268],"class_list":{"0":"post-18963","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-critical-infrastructure","10":"tag-def-con","11":"tag-vulnerabilities"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/hacking-agriculture-defcon29\/18963\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/hacking-agriculture-defcon29\/23486\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/hacking-agriculture-defcon29\/25561\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/hacking-agriculture-defcon29\/23632\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/hacking-agriculture-defcon29\/23075\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/hacking-agriculture-defcon29\/26237\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/hacking-agriculture-defcon29\/25771\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/hacking-agriculture-defcon29\/31695\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/hacking-agriculture-defcon29\/10154\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/hacking-agriculture-defcon29\/42402\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/hacking-agriculture-defcon29\/17891\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/hacking-agriculture-defcon29\/18279\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/hacking-agriculture-defcon29\/15409\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/hacking-agriculture-defcon29\/27575\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/hacking-agriculture-defcon29\/27713\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/hacking-agriculture-defcon29\/24476\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/hacking-agriculture-defcon29\/29838\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/hacking-agriculture-defcon29\/29636\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/def-con\/","name":"def con"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/18963","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/665"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=18963"}],"version-history":[{"count":1,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/18963\/revisions"}],"predecessor-version":[{"id":18965,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/18963\/revisions\/18965"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/18966"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=18963"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=18963"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=18963"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}