https://www.kaspersky.com/blog/hacking-agriculture-defcon29/42402/
Solutions for:
* Home Products
* Small Business 1-50 employees
* Medium Business 51-999 employees
* Enterprise 1000+ employees
Kaspersky official blog
* CompanyAccount
* GET IN TOUCH
* Solutions
+
o [RS-b-Cloud]Hybrid Cloud Security
Learn more
o [kl_IoT_Sec]Internet of Things & Embedded Security
Learn more
o [RS-b-KTMD]Threat Management and Defense
Learn more
o [kl_Industr]Industrial CyberSecurity
Learn more
o [RS-b-KFP]Kaspersky Fraud Prevention
Learn more
+
o Other solutions
o Blockchain Security
o Kaspersky for Security Operations Center
* Industries
+
o [kl_Nationa]National Cybersecurity
Learn more
o [ent-indust]Industrial Cybersecurity
Learn more
o [kl_Financi]Finance Services Cybersecurity
Learn more
o [kl_Healthc]Healthcare Cybersecurity
Learn more
o [kl_Transpo]Transportation Cybersecurity
Learn more
o [kl_Retail_]Retail Cybersecurity
Learn more
+
o Other industries
o Telecom Cybersecurity
o Blockchain Security
o View all
* Products
+
o [KESB_black]Kaspersky Endpoint Security for Business
Learn more
o [kl_Endpoin]Kaspersky Endpoint Detection and Response
Learn more
o [kl_Endpoin]Kaspersky Endpoint Detection and Response
Optimum
Learn more
o [RS-b-KATA]Kaspersky Anti Targeted Attack Platform
Learn more
o [kl_Managed]Kaspersky Managed Detection and Response
Learn more
o [kl_Sandbox]Kaspersky Sandbox
Learn more
+
o Other Products
o Kaspersky Security for Mail Server
o Kaspersky Security for Internet Gateway NEW
o Kaspersky Embedded Systems Security
o Kaspersky Hybrid Cloud Security for AWS
o Kaspersky Hybrid Cloud Security for Azure
o View all
* Services
+
o [kl_Cyberse]Cybersecurity Services
Learn more
o [KAOT_icon]Kaspersky Adaptive Online Training
Learn more
o [kl_Premium]Kaspersky Premium Support (MSA)
Learn more
o [kl_Threat_]Kaspersky Threat Intelligence
Learn more
o [kl_APT_Int]Kaspersky APT Intelligence Reporting
Learn more
o [kl_Targete]Kaspersky Targeted Attack Discovery
Learn more
+
o Other Services
o Kaspersky Professional Services
o Kaspersky Incident Response
o Kaspersky Cybersecurity Training
o Kaspersky Incident Communications
o Kaspersky Security Awareness
o View all
* Resource Center
+ Case Studies
+ White Papers
+ Datasheets
+ Technologies
+ MITRE ATT&CK
* About Us
+ Transparency
+ Corporate News
+ Press Center
+ Careers
+ Innovation Hub
+ Sponsorship
+ Policy Blog
+ Contacts
* GDPR
* Blog
+ Business
+ News
+ Privacy
+ Products
+ Special Projects
+ Technology
+ Threats
+ Tips
+ RSS
+ Newsletter subscription
* Secure Futures
*
[ ]
* Solutions for:
* Home Users
+ Products
o KasperskySecurity Cloud
o KasperskyTotal Security
o KasperskyInternet Security
o KasperskyAnti-Virus
o KasperskyInternet Security for Mac
o Kaspersky Internet Security for Android
o KasperskySecure Connection
o Free Tools
o Kaspersky Safe Kids
o Kaspersky Password Manager
o Kaspersky Software Updater
o View more
+ Renew
+ Downloads
+ Support
+ Resource Center
+ My Kaspersky
o My Devices
o My Products / Subscriptions
o My Orders
* Small Business(1-50 employees)
+ Products
o KasperskySmall Office Security
o KasperskyEndpoint Security Cloud
o KasperskyEndpoint Security for Business Select
o KasperskyEndpoint Security for Business Advanced
+ Renew
+ Downloads
+ Support
+ Resource Center
o Insights
o Products & Solutions
o Customer Stories
o Awards & Recognition
o Technology
+ My Kaspersky
o My Devices
o My Products / Subscriptions
o My Orders
* Medium Business(51-999 employees)
+ Products
o KasperskyEndpoint Security Cloud
o KasperskyEndpoint Security for Business Select
o KasperskyEndpoint Security for Business Advanced
o KasperskySecurity for Business Total
o TARGETED SECURITY SOLUTIONS
o Mail Server
o File Server
o Mobile
o Internet Gateway
o Virtualization
o Collaboration
o Vulnerability and Patch Management
o Storage
o View More
+ Services
+ Downloads
+ Support
+ Resource Center
o Insights
o Products & Solutions
o Customer Stories
o Awards & Recognition
o Technology
+ CompanyAccount
* Enterprise(1000+ employees)
+ Solutions
o Anti Targeted Attack
o Endpoint Security
o Cloud Security
o Security Operations Center
o Cybersecurity Services
o Fraud Prevention
o Industries
o Finance
o Telecom
o Healthcare
o Data Center
o Government
o Industrial
+ Products
o KasperskyAnti Targeted Attack Platform
o KasperskyPrivate Security Network
o KasperskyEmbedded Systems Security
+ Services
o KasperskySecurity Awareness
o KasperskyCybersecurity Services
o KasperskyDDoS Protection
o KasperskyPremium Support and Professional Services
+ Resource Center
o Case Studies
o White Papers
o Datasheets
+ Contact Us
+ CompanyAccount
*
* Search blog posts
* Blog
+ Business
+ News
+ Privacy
+ Products
+ Special Projects
+ Technology
+ Threats
+ Tips
+ RSS
* Partners
+ Partners
+ Find a Partner
+ Affiliate
+ Technology
+ Whitelist Program
* About Us
+ About Us
+ Company
+ Team
+ How We Work
+ Press Releases
+ Press Center
+ Careers
+ Motorsport
* Support
* Contact Us
* Search
[ ]
Search
* [target] DEF CON
Farm equipment security at DEF CON 29
At DEF CON 29, a researcher explained why agricultural machinery
should be considered critical infrastructure and demonstrated
vulnerabilities in the main manufacturers' equipment.
* [Enoch-]
Enoch Root
* October 11, 2021
One of the most unusual presentations at the DEF CON 29 conference,
held in early August, covered farm equipment vulnerabilities found by
an Australian researcher who goes by the alias Sick Codes.
Vulnerabilities affecting the major manufacturers John Deere and Case
IH were found not in tractors and combine harvesters, but in web
services more familiar to researchers. Through them, it was possible
to gain direct control over multi-ton and very expensive equipment,
which poses a particular danger.
Modern agricultural machinery
For those unfamiliar with modern farming, the price of machinery
seems astronomical. In his presentation, Sick Codes explained why
tractors and combine harvesters are so expensive. The best examples
of modern agricultural machinery are computerized and automated to a
fairly high degree. This is illustrated by the example of the John
Deere 9000 Series forage harvester, which is advertised as follows:
The 24-liter V12 engine and six-figure price tag are not even the
main thing -- this particular commercial enumerates the technical
capabilities of the machine: spatial orientation system, automatic
row pickup and location sensors and synchronization with the truck
that receives the cut grain. To these capabilities, Sick Codes adds
remote control and the ability to automatically connect tech support
directly to the harvester for troubleshooting. It's here that he
makes a bold claim: modern farming is entirely dependent on the
Internet.
Farming machinery threat model
Unsurprisingly, modern machinery is packed full of modern technology,
from conventional GPS and 3G/4G/LTE positioning and communication
systems to quite exotic inertial navigation methods for determining
location on the ground with centimeter-level accuracy. The threat
model conceived by Sick Codes is based on IT concepts, and sounds
rather threatening when applied to reality.
What does a DoS attack on a field look like? Let's suppose we can
change a couple of variables in the software for spraying fertilizer
on the soil and increase the dose multiple times over. We could
easily make the field unfit for agriculture for years, or even
decades, to come.
Or how about a simpler theoretical variant: we take control of a
combine harvester and use it to damage, say, a power line. Or we hack
the harvester itself, disrupt the harvesting process causing huge
losses for the farmer. On a national scale, such "experiments" could
ultimately threaten food security. Networked farm equipment is,
therefore, genuinely critical infrastructure.
And according to Sick Codes, the protection put in place by the
suppliers of this very technology and infrastructure leaves a lot to
be desired. Here's what he and his like-minded team managed to find.
Username brute-forcing, password hardcoding and so on
Some of the John Deer infrastructure vulnerabilities presented at the
conference are also described in an article on the researcher's
website. Sick Codes started out by signing up for a legitimate
developer account on the company's website (although, as he writes,
he later forgot the name he used). Trying to remember, he encountered
something unexpected: the API made username look-ups every time he
typed a character. A quick check revealed that, yes, the usernames
already in the system could be brute-forced.
Brute-forcing usernames
Brute-forcing usernames. Source.
The traditional limit on the number of requests from one IP address
in such systems was not set. In just a couple of minutes, Sick Codes
sent 1,000 queries, checking for usernames matching the names of the
Fortune 1000 companies - he got 192 hits.
The next vulnerability was discovered in an internal service allowing
customers to keep records of purchased equipment. As Sick Codes found
out, anyone with access to this tool can view information about any
tractor or combine harvester in the database. Access rights to such
data are not checked. What's more, the information is fairly
confidential: vehicle owner, location, etc.
At DEF CON 29, Sick Codes revealed a little more than what he wrote
on his website. For instance, he also managed to access the service
for managing demo equipment, with full demonstration history and
personal data of company employees. Lastly, his colleagues detected a
vulnerability in the corporate service Pega Chat Access Group, in the
shape of a hardcoded admin password. Through this, he was able to get
the access keys to John Deere's client account. True, Sick Codes
didn't say what exactly this key opens up, but it appears to be
another set of internal services.
For a bit of balance, Sick Codes also presented some vulnerabilities
affecting John Deere's European competitor, Case IH. There, he was
able to access an unsecured Java Melody server monitoring some of the
manufacturer's services, which gave up detailed information about
users and showed the theoretical possibility of hijacking any
account.
Contacting the companies
For the sake of fairness, we should note that Sick Codes draws no
direct link between the above-mentioned threats and the
vulnerabilities he detected. Perhaps in order not to endanger
ordinary farmers. Or maybe he didn't find any such link. But based on
the trivial security flaws presented, he concludes that the safety
culture in these companies is low, allowing us to assume that direct
control over the combine harvesters is similarly protected. But this
remains an assumption.
All of the vulnerabilities in John Deere services have since been
closed, but with some provisos. The manufacturer did not have any
special contact channel for reporting vulnerabilities. Sick Codes had
a brief exchange with John Deere's social media manager, after which
he was asked to report the vulnerabilities through the bug-bounty
program on the HackerOne service - however no such service was found.
A rewards program for reporting vulnerabilities was eventually
introduced, but participants are required to sign a non-disclosure
agreement.
* critical infrastructure
* DEF CON
* vulnerabilities
Share article
kindle
[protect-yo][protect-yo]
Related
8 fun facts about fax. Yes, fax!
MitM and DoS attacks on domains through the use of residual
certificates
* Read next
FinSpy: the ultimate spying tool
FinSpy spyware targets Android, iOS, macOS, Windows, and Linux users.
Here's what it can do and how to stay protected.
* #
Julia Glazova
* October 8, 2021
Tips
* [chip] Tips
6 antiphishing tips
How to spot dangerous links sent in messages and other tricks
scammers use to steal your data.
* #
Hugh Aver
* October 4, 2021
* [chip] Tips
BloodyStealer is hunting for gamers
Gamer accounts are in demand on the underground market. Proof
positive is BloodyStealer, which steals account data from popular
gaming stores.
* #
Julia Glazova
* September 27, 2021
* [chip] Tips
Antivirus won't let you run a program? Here's what to do
Here's how to open a program if your antivirus app blocks it.
* #
Kaspersky Team
* September 20, 2021
* [chip] Tips
How to open a blocked website
If your antivirus stops you from going to a website, don't disable
it, create exclusions.
* #
Kaspersky Team
* September 13, 2021
Sign up to receive our headlines in your inbox
* *
[ ]
*
* *
+ [ ] I agree to provide my email address to "AO Kaspersky Lab"
to receive information about new posts on the site. I
understand that I can withdraw this consent at any time via
e-mail by clicking the "unsubscribe" link that I find at the
bottom of any e-mail sent to me for the purposes mentioned
above.
[Sign me Up]
This iframe contains the logic required to handle Ajax powered
Gravity Forms.
Home Products
* Kaspersky Anti-Virus
* Kaspersky Android Antivirus
* Kaspersky Internet Security
* Kaspersky Total Security
* Kaspersky Security Cloud
* Kaspersky VPN Secure Connection
* Free Antivirus
* All Products
Small Business Products
1-50 EMPLOYEES
* Kaspersky Small Office Security
* Kaspersky Endpoint Security Cloud
* All Products
Medium Business Products
51-999 EMPLOYEES
* Kaspersky Endpoint Security Cloud
* Kaspersky Endpoint Security for Business Select
* Kaspersky Endpoint Security for Business Advanced
* All Products
Enterprise Solutions
1000 EMPLOYEES
* Cybersecurity Services
* Threat Management and Defense
* Endpoint Security
* Hybrid Cloud Security
* Cybersecurity Training
* Threat Intelligence
* All Solutions
Copyright (c) 2021 AO Kaspersky Lab. All Rights Reserved.
* Privacy Policy
* Anti-Corruption Policy
* License Agreement
* Contact Us
* About Us
* Partners
* Blog
* Resource Center
* Press Releases
* Sitemap
* Securelist
* Threatpost
* Eugene Personal Blog
* Encyclopedia
*
*
*
*
Global
* Americas
* Brasil
* Mexico
* United States
* Africa
* South Africa
* Middle East
* Middle East
* lshrq l'wsT
* Western Europe
* Deutschland & Schweiz
* Espana
* France & Suisse
* Italia & Svizzera
* Nederland & Belgie
* United Kingdom
* Eastern Europe
* Polska
* Turkiye
* Rossiia (Russia)
* Kazakhstan
* Asia & Pacific
* Australia
* India
* Zhong Guo (China)
* Ri Ben (Japan)
* For all other countries
* Global