Farm equipment security at DEF CON 29
kaspersky.comFarmer here. I've been saying for years to my fellow farmers that equipment security shouldn't be dismissed.
I did not focus much on tractors, though, but automatized irrigation systems that allow remote access and configuration. When choosing my own options, and since I never had the information I needed, I always chose the simplest solution, i.e., local manual configuration without remote access.
Around here the public water supply is remotely controlled, but like an Intranet, via optical fiber. I suspect this has to do not only with poor reception in remote locations but also with security. But water meters are accessed via SIM, I think.
Every time I mention any concerns with security, however, these are met with skepticism. The usual inability to foresee third-parties' motivations, in variations of
"Why would anyone want to interfere with my equipment?"
are very common. And I admittedly lack the skills to raise concerns for this issue past saying that ignorance of threats doesn't make them go away. My only hypothetical case is systematic crop failure due to poor irrigation associated with futures markets that depend on yields.
> "Why would anyone want to interfere with my equipment?"
Oh yes, this sounds way too familiar. "Why would anyone want to hack my system?" - pretty much most people I talked to about IT security, between circa 2000 and 2010, give or take a few years.
> My only hypothetical case is systematic crop failure due to poor irrigation associated with futures markets that depend on yields.
Besides stock market manipulation, ransomware and warfare, any 12 year old who discovers shodan.io or mass-scan can potentially stumble over some Internet exposed, remote control interface. A random 12 year old will go ahead and destroy stuff simply because that's cool or whatever, without thinking twice about it. Source: Just ask anybody who has ever been talked into doing IT at a school.
As you also said, it's hard to guess what motivations someone might have. And when you connect some device to the Internet, you are actually connecting the Internet to the device. Seems to be an often overlooked issue with IoT or smart-somethings.
The average person does not understand that hooking up a device to the internet is like moving into a unlit, unregulated, unpoliced neighborhood. Shady people could come knocking at your door with heavy weapons, and you had better have ample and up-to-date defenses already in place or they are coming in for a visit.
> "Why would anyone want to interfere with my equipment?"
Because it's interesting and "because we can". It's a challenge without any other motivation besides curiosity.
But lets say some ransomware outfit discovers farmers as their niche, because the security barrier is relatively low and it's a time sensitive business. Your crops are ready to harvest, but your equipment is not starting until you pay the ransom? What can you do then? Waiting and letting the crops rot is not an option, renting hardware from others can be difficult/expensive/impossible, so the most would pay the ransom. I haven't heard of attacks targeting farmers/farm equipment in particular, but it could be a real problem in the future.
Or, fantasizing here: some opposing nation state wants to disrupt food supply?
Or: very nasty farmer with the same crop hacks your equipment so you and most of his other competitors can't deliver, allowing to gauge prices due to near-monopoly.
Knowing how most farmers live on a razor's edge between subsistence and famine, this is fucking terrifying.
This works well with some bets on stock prices, too.
More like "farm equipment manufacturers have insecure backoffice web services" with some tenuous and unsubstantiated highly contrived links to fanciful action movie sub-plots.
I agree that automotive and farm equipment have generally mediocre security track records and that, with the addition of remote connectivity, these issues are concerning. But all hyperbole and breathless reporting like this gains us is an excuse for repair hostility under the guise of "security."
I believe by gut feeling, that the "heavy farm equipment with tracking and repossession built-in" example directly inflames ancient tensions between farmers and remote management. The psychological trigger of the topic adds power and excitement to both sides of that, and security shenanigans multiply, with publicity.
Not just repair hostility: especially JD sought to wall in their garden a decade or so ago. They went all-in on Canbus/SAE J1939 and used the proprietary word spec to keep out other manufacturers of ag automation. I worked at Trimble Navigation during that time, remember it well. Most manufacturers were still using direct hydraulic controls then. Not JD. Evidently things have just got worse since.
Isn't using J1939 just an example of them embracing an industry standard? That stuff is everywhere now, right?
It is how you embrace J1939 that makes the difference. In a J1939 dataframe two data words are defined: one open, the other proprietary. The proprietary word can be, and is with JD's implementation, encrypted. Therefore, anything actuated by the proprietary word is operable iff you have the key.
Thanks!
You seem to be saying electronic controls are bad. Why?
They are not innately bad, but they are implemented in a bad way. A system of hydraulic control lines cannot be locked behind copyright. They can be physically fixed. A cracked manifold can be welded or replaced. But when fixing a modern electronic system you must have the permission of the manufacturer before replacing a part, or even opening some boxes. Any mechanic can see leaking hydraulic fluid. But modern electronic systems can require special/expensive tools just to read the error code telling you which part has failed.
Next up: John Deere invents a hydraulic rights managment (HRM) system that implements a communication protocol between hydraulic components using high frequency pressure changes in the hydraulic lines. These signals are interpreted by mechanical/hydraulic processing units to p̵r̵e̵v̵e̵n̵t̵ ̵t̵a̵m̵p̵e̵r̵i̵n̵g̵ ̵w̵i̵t̵h̵ ensure the quality of the product.
Don’t give them ideas. They have proven themselves willing to screw their customers. Don’t give them another way to extort us.
is an excuse for repair hostility under the guise of "security."
That's what every other company has been trying to do too, not just farm equipment manufacturers. If you look between the lines you'll find that the "security industry" is largely in favour of corporate-authoritarianism. Thankfully, not everyone is stupid, and I suspect farmers are actually more likely to spot the BS.
> If you look between the lines you'll find that the "security industry" is largely in favour of corporate-authoritarianism.
If you're looking for some unreasonably secure device, obviously you have to bake an apple pie from scratch in order to ensure no steps in your supply line are tampered with. Current system has plenty of problems with which that's being used as a defense though, and the fact that those systems are so closed is what allows zerodium to exist in the first place.
I think, reasonably secure would already be enough. Not even that level is reached.
Goes right along with "Bugs allowed hackers to dox John Deere tractor owners" https://news.ycombinator.com/item?id=26903482
'Goes right along with' as in it's the same work, this submission is just blog author's write up of a presentation of it (or whatever) at Def Con 29.
The researcher's write-up from April: https://sick.codes/leaky-john-deere-apis-serious-food-supply... (submitted thrice but not discussed.)
Modern large scale farming is really not that much different from other industrial endeavors. Increasingly, small farms have to sell out to the industrial farms due to the economics.
Link to the actual talk (why didn't op just link to the talk?) maybe, instead of linking to the website of a "security software" company with ties to the FSB?
Because a written summary is nice for people who want to read and might not be in a place where they can watch a video / listen to a talk?
There is much better original [1] article though.
[1] https://sick.codes/leaky-john-deere-apis-serious-food-supply...
This is a pretty low effort click-driving blog post though IMO - 'someone did a thing' - I linked 'someone's' ('Sick Codes'') original post on the 'thing' below.
With also a fragment of the meaning
I’m still fascinated how some people believe “ties to FSB” are somehow different from ties to NSA.
It's reasonable that "ties to the Zerg" would raise more eyebrows. Ties to a foreign entity are different to ones from the same political bloc/your own country.
It's just a manifestation of "us vs them" mentality.
This link doesn't work for me in Canada, because of some faulty re-routing that Kaspersky's backend is doing (keep getting redirected to https://www.kaspersky.ca/fr). This one does: https://usa.kaspersky.com/blog/hacking-agriculture-defcon29/...
One could have seen it coming...
https://www.vice.com/en/article/xykkkd/why-american-farmers-...