The good news out of Ukraine this week was that thieving Russian troops who made off with millions of dollars of John Deere agricultural machinery were left stuck with a bunch of useless hardware, after the gear was remotely disabled by the manufacturer which, CNN reported, tracked the movement of the stolen equipment via GPS sensors on the hardware.
“The equipment now appears to be languishing at a farm near Grozny. But the contact said that ‘it seems that the hijackers have found consultants in Russia who are trying to bypass the protection,’” CNN reported. Though it is making news now, the theft happened in March and was first reported in early April.
The bad news? The very same features and capabilities that enabled John Deere and its dealers to disable the stolen hardware could lay the groundwork for a disastrous cyber attack on the agricultural sector, in which state sponsored actors or even cyber criminal groups brick critical farm equipment at crucial moments in the planting or harvesting season.
Growing Threats to agriculture
CISA, the Cybersecurity and Infrastructure Security Agency, has warned repeatedly about the possibility of devastating Russian cyber attacks on U.S. critical infrastructure in retaliation for U.S. and Western nations’ military support of Ukraine’s army.
And we’ve already seen early signs that the agriculture sector is “in play” for cybercriminal groups – many with sympathies for the Russian government, if not direct links to it. After a string of ransomware attacks on grain coops in September and October, the FBI recently warned of more cyber attacks targeting the agricultural sector as planting season commenced.
What’s missing from the FBI’s warning, however, is the exact risk that the story out of Ukraine raises. Namely: direct cyber attacks on agricultural equipment in the field. These attacks would be enabled by the same platform that was used to frustrate thieves in Russian military garb, according to experts in agriculture and information security who have studied the problem.
Many ways to (remotely) kill a Deere
The researcher who goes by the handle Sick Codes said that it is unclear what method John Deere used to disable the Ukrainian tractors, but that the company had many different means at its disposal to do so.
“(Deere) basically has remote desktop access to the equipment,” he told Security Ledger. “They can access these devices at any time.”
Shutting down the tractors, which were stolen directly from a dealership, could be as simple as blocking an activation code needed to start the device or revoking licenses on the firmware that the tractors run. On the more disruptive end, Deere could push software updates that would disable key features needed to run the tractor or wipe the operating system from the equipment entirely, he said.
Ghost in the (Farm) Machine
The fate of a few combines and tractors in Chechnya is of little consequence. The bigger issue, experts say, is what a motivated actor could do to hundreds or thousands of pieces of equipment. And, here again, there is reason for concern.
At last August’s DEF CON conference, for example, a team of researchers presented information on a range of flaws in John Deere software and services, including holes in public-facing web applications like Deere’s JDConnect and the John Deere Operations Center. The work, also by Sick Codes (@SickCodes), and researchers from the group Sakura Samurai including wabaf3t; D0rkerDevil; ChiefCoolArrow; John Jackson; Robert Willis; and Higinio “w0rmer” Ochoa uncovered 11 other flaws in Deere software and applications and that the group shared with the company as well as CISA, the Cybersecurity and Infrastructure Security Agency.
Attackers who gained access to Operations Center wouldn’t merely be able to manipulate Deere equipment in the field, they would also have what amounts to a pin-point accurate map of (late model) Deere hardware deployed around the world, Sick Codes said.
At the upcoming hardware.io conference in Santa Clara, California in June, he will present research documenting serious security flaws in John Deere’s Telematics Gateways and the John Deere Gen4 Series Display. “I was pretty surprised to find the vulns (vulnerabilities) that I found,” he told Security Ledger. He said he has been working with Deere to address some of the security issues he found.
“We rooted Operations Center last year. You put this year’s work with last year’s and you have the whole company,” he said.
In an email statement John Deere said it is “fully committed to protecting our customers, dealers, products and infrastructure.” “Our investment in the security and resilience of our digital ecosystem is a key component of that commitment.” The company noted its partnership with HackerOne, which hosts a bug bounty program for Deere’s software, as well as “other independent security researchers/firms to proactively identify, triage and manage potential security risks.”
“Deere values these relationships and appreciates the principled nature of these interactions, and the mutual respect demonstrated by both Deere and the research community. Security is an important element of the quality products and services our customers have come to expect from John Deere, and we are willing to work with any ethical researcher committed to helping us continuously improve our program,” the company said.
Concern about systemic risk to agriculture
Consumer advocates have been raising alarm about the risks of undue concentration in the agricultural equipment sector in recent months. There are just a handful of firms making heavy equipment for farming. Their business models increasingly lean on tightly controlled ecosystems for repair, maintenance and service that are enforced by software locks. By one estimate, Deere’s profit margins on service and repair are three times that of equipment sales.
The company’s stranglehold on farmers has spawned class action lawsuits filed by farmers across the country in the last few months. The suits allege that Deere has created an anti-competitive monopoly on servicing and repairing its equipment.
But anti competitive behavior is, in some ways, the least of it. The US agriculture sector has become highly concentrated in the last 50 years. An Open Market Institute report in 2019 found extreme market concentration in industries like meat production and dairy. There were close to 650,000 dairy farms operating in the US in 1970. Today, there are just 40,000. Market share for the largest four U.S. corn seed companies grew from 59 percent in 1975 to 85 percent in 2015. That makes the U.S. vulnerable to what experts like Molly Jahn, a program manager in the defense sciences office at DARPA, call “cascading effects” of cyber attacks.
At the same time, in an effort to exert ever tighter control over sold equipment, and to harvest valuable data from its customers, vendors like Deere have built systems that are exquisitely sensitive to attack.
Cade, for example, notes that control over late model farming hardware, as well as vital data collected from that machinery about conditions on individual farms is all managed centrally by Deere. The company also uses just one cellular network – AT&T – to communicate with equipment in the field, Cade notes. All of that consolidation sets the stage for massive disruption, should a capable cyber adversary decide to target that infrastructure.
A better and more resilient system might allow farmers to choose what kind of mobile telematics gateway and wireless network to connect their equipment to – or not connect their equipment to. It might also allow farmers send their data to organizations other than Deere itself. For example, farmers might set up data coops, akin to grain coops – that aggregated data from area farms and managed it locally. Such a system would be far harder for an adversary to disrupt, Cade said.
“If they hack this stuff – that’s our food supply,” he said.