DEF CON: Security Holes In Deere, Case IH Shine Spotlight On Agriculture Cyber Risk

chicksdaddy shares a report from The Security Ledger: A lot has changed in the agriculture sector in the last decade. And farm country's cybersecurity bill has come due in a big way. A (virtual) presentation at the annual DEF CON hacking conference in Las Vegas on Sunday described a host of serious, remotely exploitable holes in software and services by U.S. agricultural equipment giants John Deere and Case IH, The Security Ledger reports. Together, the security flaws and misconfigurations could have given nation-state hackers access to Deere's global product infrastructure, sensitive customer and third-party data and, potentially, the ability to remotely access critical farm equipment like planters and harvesters that are the lynchpin of the U.S. food chain.

The talk is the most detailed presentation, to date, of a range of flaws in Deere software and services that were first identified and disclosed to the company in April. The disclosure of two of those flaws in the company's public-facing web applications set off a scramble by Deere and other agricultural equipment makers to patch the flaws, unveil a bug bounty program and to hire cyber security and embedded device security talent.

In addition to a slew of common web flaws like Cross Site Scripting- and account enumeration bugs linked to Deere's web site and public APIs, the researchers discovered a vulnerability (CVE-2021-27653) in third-party software by Pega Systems, a maker of customer relationship management (CRM) software that Deere uses. A misconfiguration of that software gave the researchers administrative access to the remote, back end Pegasystems server. With wide ranging, administrative access to the production backend Pega server, the researchers were able to obtain other administrative Pegasystems credentials including passwords, security audit logs, as well as John Deere's OKTA signing certificate for the Pegasystems server, according to the presentation. In an email statement to The Security Ledger, a John Deere spokesperson said that "none of the claims -- including those identified at DEF CON -- have enabled access to customer accounts, agronomic data, dealer accounts, or sensitive personal information," though data included in the presentation as well as prior public disclosures make clear that sensitive data on Deere employees, equipment, customers and suppliers was exposed.

They all do it on the cheap

[gweihir]

Until caught. Then some patch, and some try lying instead first. Some do both. It is _known_ how to do this right. It just costs a bit more because you need to hire people with a clue.

Re:

[caseih]

Yes and how many experts and graduates think about applying at a tractor maker, compared to the tech giants like Google, Apple, Amazon, etc.

Personally I like what technology has done for farming, but I have no interest in cloud-connected tractors

Re:They all do it on the cheap

[cusco]

I've been following Deere and precision agriculture on Spectrum, the IEEE magazine.

https://spectrum.ieee.org/want... [ieee.org]

  Want a Really Hard Machine Learning Problem? Try Agriculture, Says John Deere Labs

What’s the world’s hardest machine learning problem? Autonomous vehicles? Robots that can walk? Cancer detection?

Nope, says Julian Sanchez. It’s agriculture. . .

The scale of the data is also daunting, Rostapshov points out. “We are one of the largest users of cloud computing services in the world,” he says. “We are gathering 5 to 15 million measurements per second from 130,000 connected machines globally. We have over 150 million acres in our databases, using petabytes and petabytes [of storage]. We process more data than Twitter does.”
- - - -
Perhaps they should have invested a bit more in security as well.

Re:

[gweihir]

Perhaps they should have invested a bit more in security as well.

Indeed. You can even read about IT security disasters in the mainstream press regularly for the last decade or so.

Re:

[dowhileor]

I think it's because AI cannot or are not allowed to grow food without human intervention, but that just may be conspiracy theory on my part? But still, the possibilities, the impact, the application....

Re:

[cusco]

I think more it's just that there isn't an end-to-end solution yet, there are a lot of parts that work well on their own but the full integration is still a ways down the road.

Re:

[chicksdaddy]

Yes. 35 open recs at John Deere that contain “cyber security” in the job description. Prior to these stories coming to light, the company had hardly any embedded device security and cyber talent on staff - and most of the Deere employees with infosec in their title had been at the company for decades (that is: maybe looked at things through tinted lenses) and didn’t have ‘traditional’ infosec backgrounds. https://jobs.deere.com/search/... [deere.com]

Re: They all do it on the cheap

[anonymouscoward52236]

They have grumpy users that will turn on a dime and say: see, I TOLD YOU that all that smart stuff is just garbage. (Then they get out their old non-smart tractor and finish the job.)

Re:

[cusco]

They might do it once, in emergency, but farmers aren't stupid. They see the ROI on the Precision Farming investment and keep investing in it because the payback makes it worthwhile. Farmers love to complain about any damn thing, weather, no-repair agreements, seed-saving prohibitions, subsidy reductions, etc. but that's just because they're human. At the end of the day they do what benefits them the most, and attempting to return to "the good old days" certainly ain't it.

Re:

[gweihir]

Ever heard of companies _searching_ for the experts they need? There are even services that help with this. Salaries, benefits and working conditions can also make a ton of difference.

Either do not connect tractors to the Internet in any way or realize you are now an IT shop and need IT security experts.

Re:

[gtall]

"Either do not connect tractors to the Internet in any way or realize you are now an IT shop and need IT security experts."

At least from the synopsis, it wasn't the tractors that were getting hacked. It was the backend systems. It probably isn't too far in the future when the tractors will get hacked as well. But those issues are similar to automobile issues and can probably be solved in the same way. The difference is that a large scale farm has a lot of money at stake and also represents a national econom

Re:

[ChoGGi]

I know RTFA isn't standard, but the defcon video ends by talking about the Qualcomm connectivity chip used and it's list of vulns, so that's probably the next presentation.

Re:

[Mattcelt]

The system he was able to compromise allows for the direct download of new software and data to equipment (tractors, etc.).

One exploit in the delivery mechanism, and those 130,000 machines - and the agriculture that rely on them - are in trouble.

Re:

[dowhileor]

Because the latest applications to worship needs to be sexy and shiny? An application is an application, just a noun to many but I understand development from that perspective does not get one the office job where one can ride along on an electric scooter, in sandals.... But there must be a middle ground between a vibrator being cloud ready and a completely sensible application of cloud infrastructure thus requiring our critical eye....and not caring about "apps" at all?

How?

[SlashbotAgent]

you need to hire people with a clue.

Easier said than done. You don't know what you don't know, therefore you don't know what they don't know.

True to form, every developer seems positively certain that they are the subject matter expert on all aspects of their project. Just ask them and they'll tell you. As an armchair developer you too seem to be laying claim to a great detail of understanding of a product development project and company with which you almost certainly have no experience whatsoever.

Then later it turns out that they didn't act

Interviewing is a skillset more managers should ha

[raymorris]

Interviewing technical people is difficult. That's certainly true. It's a skillset that a lot of people don't have, an area in which a lot of people aren't strong. Same with recruiting.

So is programming, or network design or journalism. All skillsets that not everyone has. It is also a learnable skillset like the others. A security analyst is expected to have the skills to interpret alerts coming from the SIEM. They should know how to do that, even though most people don't, because that's their job. The job

I say it's time to send John Deere a "Dear John".

[Joe_Dragon]

I say it's time to send John Deere a "Dear John".

Re:

[Z00L00K]

Today you don't own Tractor, Tractor owns You.

Re: I say it's time to send John Deere a "Dear Joh

[93 Escort Wagon]

In Soviet Russia, you own tractor!

Re: Great!

[Malays2 bowman]

like this one filmed in Colorado?

https://youtube.com/watch?v=ql... [youtube.com]

Re:

[Random361]

like this one filmed in Colorado?

https://youtube.com/watch?v=ql... [youtube.com]

Wow. Never heard about that before. I honestly wonder if a few hellfire missiles would have stopped it.

Re:

[sabbede]

How wasn't that national news? It's like that old movie Tank, but with a less-than-heroic main character.

Re:

[nightflameauto]

It was when it happened. At least it made it to the national news we pick up in the morning.

Re:

[sabbede]

Well, maybe I just missed it. Or forgot about it.

Re:

[cusco]

I remember that guy, he had a hell of a ride for a while. Amazing what a sufficient load of hate and resentment can motivate a person to do.

Class action or Government Involvement?

[bobstreo]

If I were a farmer, I'd be buying old equipment without the "Overlord" interface.

If I had to purchase new, I'd include a rider for legal support in the purchase agreement.

As always, there are going to be some lawyers making enough money to retire forever on this.

Re:

[caseih]

Yes there is a lot to be said for that. Especially if you have the time and inclination to service, repair, and completely rebuild machines. Farm machines do wear out. I know several farmers that farmed with old machines for many years and finally they wore out and they couldn't afford to replace the machines. So there's got to be a balance between being frugal and having machines that are reliable and functioning. We're going through this calculus right now on our farm. Our line equipment is aging a

Re:

[nightflameauto]

When I was farming we had an old mechanic on call that would take a tractor, tear it down to the frame and rebuild it replacing all the moving bits. We had at several tractors fully rebuilt by him, and the price was . . . let's say way less than a new tractor. With the added bonus we didn't get stuck with a computer driven tractor but got back an old known machine in nearly new shape.

Just a thought on how to handle aging equipment.

Of course, we also still ran two old Deere model As that were purchased new

Re:

[inode_buddha]

I remember the big combines at the Illinois fair in 1974. I wonder how many of them are still in use?

The family I grew up working for finally sold the 1955 Case a few yrs ago, still have the 1976 David Brown (in great working condition, perfect for row crops)

Re:

[h33t l4x0r]

I'd just get an ox or two because I'm not a wussy. Let's see China hack my oxen.

Re:

[Random361]

I'd just get an ox or two because I'm not a wussy. Let's see China hack my oxen.

They’re probably working on that in Wuhan.

Re:

[cusco]

Buy old equipment if you prefer, but be prepared for lower yields and lower profits than your neighbors who invest in precision agriculture.

Re:Class action or Government Involvement?

[Z00L00K]

Not necessarily - because with a modern tractor you can't fix it yourself when it breaks down and a standstill of only a few days can destroy the crop causing a lot worse yield.

Old farm tractors are quite valuable these days even if they have quirks and even lacks AC they do the job. There are examples of 40 year old farm tractors going for $30k.

Re:

[omnichad]

There are examples of 40 year old farm tractors going for $30k.

With parts being easily replaced, there's probably very little of that tractor besides the frame that is anywhere near 40 years old.

Re:

[Z00L00K]

You'd be surprised how few parts that actually have been replaced because they were broken on an old tractor.

Re:Class action or Government Involvement?

[caseih]

Besides the odd main seal replaced, perhaps U-joints, tires, hoses, these tractors you see for sale are certainly not mostly replacement parts. In fact, other than the basic components like I mentioned, it's not possible to buy new parts for old machines. If you crack a head, you will need to go to a junkyard and buy one off a scrapped machine. Same with the engine block, transmission housings, transmissions gears, and even the fuel injection pumps. None of those have been made in years. There are a few companies making good money rebuilding injector pumps for old engines since you cannot replace them.

Re:

[caseih]

"Precision Ag" is pretty nebulous and meaningless, to be honest. Most of it is probably GPS steering and maybe variable rate control based on maps. There is often a lot of mapping and data collection being done but honestly most farmers don't use that information in any kind of closed loop. For one, most farmers already know where the variable areas are. For two, no two researchers can agree on what to do about the variability. There are lots of theories of course, but it's really hard to do experiments

Re:

[cusco]

It's not all auto-driving combines. A rather surprising number of small and medium-sized farms in Africa are using drones, moisture sensors, other remote sensors, intercropping, , and soil analysis to improve their crop yields, and now Latin American farmers are also starting to use them. As the IEEE noted Africa has the rather unexpected "advantage" of not having a lot of existing infrastructure needing replacement/upgrading and are leapfrogging the advanced countries in aspects like 5G rollouts (actual

Watch out

[sjames]

Sooner or later the hackers will figure out how to put the farm equipment into Maximum Overdrive.

Is that why my transmission keeps breaking?

[sabbede]

And here I was, thinking it was because the cheap plastic CVT had a poorly designed tension spring held down by a screw too small for the job. Then the damn main drive pulley tore itself apart and I'm still waiting on the replacement. Stupid D105.

I wish it was a computer problem. At least I know how to deal with those, and without scraping up my knuckles or getting grease all over.

Tractors don't need to be on the internet

[omfglearntoplay]

Take them off the internet. Problem solved. There is no damn reason that is good enough to put convenience above the ability to eat. It's not a question of if enemies/hackers/crooks get in, it is a question of when and how bad it is. Pipeline fuel shortage bad? No corn or wheat one year bad?

Re:

[cusco]

It's not a question of convenience, it's a money issue (as in "how much more money can I save/make doing this?") If Deere's analysis shows that you can plant your rows of corn 4 inches closer next year than you've been doing that's a big deal for a 250 acre farm. If the moisture sensors in the north northeast 20 acres shows that area dries out faster than the other 230 acres you can adjust your irrigation or treat the soil there to improve a section which would otherwise have very low yields. If the soil

Re:

[inode_buddha]

If you're too lazy to properly manage 20 acres by yourself then you're in the wrong line of work. Just sayin. From experience.