#DEFCON: Exploiting Vulnerabilities in the Global Food Supply Chain
Autonomous farming equipment that can be controlled remotely now helps to feed humanity. But what if that farming equipment were hacked?
On August 8, at the DEF CON 29 conference, an Australian researcher known only as ‘Sick Codes‘ detailed what he referred to as a “tractor load of vulnerabilities” that, if exploited by an attacker, would have dire consequences for the global food supply chain. The researcher explained that modern farming equipment is increasingly being automated, with the equipment being controlled from a centralized console that could have access to many different farms.
The researcher detailed a litany of disastrous potential things that can happen if an attacker were able to gain access to the connected farms. For example, a hacker could direct chemical treatments to be over-sprayed, turning fertile land into infertile land that can’t be used for generations. With a denial of service attack, the ability for a farmer to plant seeds at a critical time can be impacted, preventing the farmer from growing crops. Another large risk would come from the fact that an attacker could gain control of a farming device like a tractor and send it to the wrong location or even drive it off the farm onto a highway.
“What we consider downtime in a website for five minutes, might be the difference between a tractor driving auto track going offline, while the tractor keeps driving, hits a tree, or injures someone,” Sick Codes said.
The Vulnerabilities of the Connected Farm
The researcher noted that nearly every single farm today is connected with a variety of different technologies, including cellular with 4G and 5G, as well as Wi-Fi and GPS. Farming equipment also now increasingly makes use of the LoRa protocol, as well as NTRIP, which helps to provide accurate positioning.
In the case of farming equipment vendor John Deere, Sick Codes noted that information and control can be handled remotely via the John Deere Operations Center, which he and his colleagues were able to hack into.
There were multiple vulnerabilities that the researcher was able to discover, including what he referred to as a basic username enumeration issue. With that vulnerability, he was easily able to identify user names of equipment owners. There was also a Cross Site Scripting (XSS) vulnerability that enabled the researcher to get even more information.
“Obviously XSS is a really basic vulnerability, but what it does show you is that they’re not taking into consideration basic vulnerabilities,” the researcher said.
As it turns out, the XSS was only the least of the problems. Sick Codes detailed how he was able get access to a remote system that essentially gave him control of some connected farming devices that the John Deere Operations Center had access to.
“We could literally do whatever the heck we wanted with anything we wanted on the John Deere Operations Center, period,” he said.
The researcher noted that all the vulnerability information was disclosed to John Deere, which wasn’t immediately responsive. The researcher then also got the U.S government’s Cybersecurity and Infrastructure Security Agency (CISA) involved, which helped to get the issues remediated.
John Deere wasn’t the only farming equipment vendor where the researcher found issues. Case IH was also found to be lacking by Sick Codes. The researcher was able to learn that Case IH was using a publicly accessible Java Melody server, which provided visibility and control into equipment actions.
“We could just browse the Java Melody server for your sessions and it was all publicly accessible, which is ridiculous,” the researcher said.
The researcher noted that though it took some time, eventually he was able to get in contact with Case IH, and the vendor fixed the reported issues.