“…to upload files to any user, log in as any user, destroy any farm, run any farm off the road, upload whatever we want, download whatever we want, destroy any data, log in to any third party accounts. We could literally do whatever the heck we wanted with anything we wanted on the John Deere operation center, period.“
Finally John Deere’s security vulnerabilities have come into my realm of attention and goodness it doesn’t look good, folks.
DEFCON 29 featured a presentation by ethical hacker, Sick Codes, who managed to get access to John Deere’s access to the machines it sells with which he could…do really whatever he wanted with that equipment.
Here’s the YouTube video in question: https://www.youtube.com/watch?v=zpouLO-GXLo
Shoutout to the scope of the area this Aussie demo’ed. You got my home region of west central Illinois! There’s a lot of these machines out here.
I want to break this down for non-sec folks to appreciate what the heck is happened.
DEFCON 29 happened about a week ago when these vulnerabilities started gaining traction for larger website publications like Vice.
DEFCON == Conference for Hacking and Digital Security Enthusiasts. Everyone from the shy computer kid from your old high school to your in-law who works for the NSA goes to this thing.
The hacking issues specifically relate to the autonomous vehicles from John Deere. Examples are like the John Deere 7450 ProDrive Forage Harvester.
Here’s some examples of what Sick Codes found he could do with the access he gained with about any John Deere machine:
Spraying. Think you’re spraying where you mean to? Not if your system was targeted. Your compromised system can now compromise your land. Sometimes even spraying 10x the amount of chemical in a given area that you meant. Maybe 10x less. The point is your land is now a target for biological warfare on domestic soil.
Machines Turned into Bricks or Weapons
You can’t access any part of your machine. Maybe the hacker renders it as useful as a cinder block in the middle of a field. Maybe they demand a ransom and there is little law enforcement or John Deere can really do for you there. Maybe the hacker overtakes control which the vehicle, compromises the GPS and decides to visit the neighbor’s field or the highway. Or the river.
Commodity and Carbon Credit Market Manipulation
Maybe all the hacker wants is your planting and harvest data. If you are one of many farmers I know who somewhat purposefully fudges your USDA crop census survey, do appreciate that the combine won’t lie for you.
From an individual farm, these data are somewhat impressive depending on what the hacker does. If you depend on machinery data to cash in on the emerging Carbon Credits industry, you can easily lose all of it.
But if, like Sick Codes, a hacker gained access to the whole network of John Deere machinery? That is enough real time planting and harvest data to manipulate the commodities markets. From there, the possibilities can go many places.
Other Folks Involved
Sick Codes did not tackle this issue and understand the implications without actual subject matter experts. He partnered with two Midwest folks, Willie Cade and Kevin Kenney. Both are active in right-to-repair dialogue going on right now.
I feel like this covers the What, the So What, but there’s not much of a Now What. That is unless John Deere is working behind the scenes with their own security folks trying to patch this stuff up RIGHT NOW. Honestly, this whole thing is egregious.
I’ve never been happier for folks still using their “dumb” machines to work fields. At this point, those folks are sincerely more secure in being able to bring in their harvests this or any season than their high tech neighbors. I wish I could feel better about that.
Here’s the frank truth. If your tractor connects to the internet in ANY WAY, you are connected to the Internet. If you are connected to the Internet, digital security is your problem as much as physical security.
Blunt Final Thoughts on This Issue
John Deere’s response to these issues indicate to me that more hackers need to take an interest in agriculture. Machine equipment alone presents unique IoT challenges with high impact. Agriculture I know looks simple from the outside, but it is a highly complex, global system. Humanity’s entire existence depends on it to work and work well.
Hackers looking for high impact and interesting problems, here’s your sign.