By B.N. Frank
Cybersecurity experts continue to warn about significant risks and vulnerabilities associated with “Smart Farms” and Internet of Things (IoT) connected agriculture. Some in agriculture industry continue to invest in this technology anyway including John Deere.
More terrifying warnings courtesy of Threat Post:
Connected Farms Easy Pickings for Global Food Supply-Chain Hack
John Deere security bugs could allow cyberattackers to damage crops, surrounding property or even people; impact harvests; or destroy farmland for years.
A group of hackers made an unnerving DEF CON 29 presentation showing how the sprawling growth of digital and automated farming has left the world’s food supply chain vulnerable to cyberattack.
A video for DEF CON 29 hacker conference this week put out by the group Sick Codes explained that modern farming is a high-tech, data-driven business like any other, trying to innovate its way to wider margins.
Farms are connected by Wi-Fi, 5G, radio sensors and more, and increasingly, every operation on the farm is being monitored and its data collected for analysis. Sick Code’s narrator, who goes by the handle Good Hackerman, used the John Deere 7450 Self-Propelled Forage Harvesters as a prime example.
The monster tractor is fully automated, has GPS, has autonomous capabilities, and can even be controlled remotely by a John Deere customer service rep to help customers through issues.
Fears of a threat actor taking over the function of these machines to damage crops, surrounding property or even harm people, are real, Goodman said, adding that denial-of-service (DoS) attacks could have an enormous impact on harvests, and over-spraying of chemicals could destroy farmland for years.
All that needs to happen is for a hacker to upload “a firmware update that inserts an offset into the GPS locations used by the target,” the group said. “The target navigates itself into a highway, into a river, through a fence, over a cliff, or whatever. Target is destroyed.”
Global Farm Data Unprotected
Locking down the world’s biggest farms’ data also might be worth a bit more consideration.
According to John Deere, current tractors being sold are connected to a moisture sensor monitor called HarvestLab, and an overall monitoring software system called Harvest Monitor, which displays real-time productivity measurements on a monitor. There’s also HarvestDoc software, which reads crop data like yield and GPS location, which can later be sent to the Apex Farm Management Software for analysis.
There’s also something called AutoLOC, a function which takes the HarvestLab moisture readings and makes adjustments to how long the tractor cuts the crop for the best outcomes.
It’s easy to see how this seamless, constant data collection and analysis could be handy for farmers, however the security of holding all that data on the world’s modern farms in one single platform begs consideration, Hackerman points out.
Indeed, with some additional time, Sick Codes was able to breach the John Deere platform to make changes to supply networks, equipment reservations and even the contact details of those who received “demo units” from John Deere.
Sick Codes was also able to find a misconfiguration of John Deere’s Pega Chat Access Group Portal (CVE-2021-27653) that defaults to admin credentials, giving access over to anyone on the platform. From there the team was able to find additional credentials, the original signature password and even the encryption certificate.
“We could literally do whatever heck we wanted with anything we wanted on the John Deere operations center — period,” Goodman said. “That’s where we pretty much stopped because we pretty much had the whole organization.”
John Deere’s major competitor, Case, similarly has gaping security holes, the team added — including unprotected servers, personally identifiable information IP addresses and more.
Provide, Protect and Profit from what’s coming! Get a free issue of Counter Markets today.