Researchers presenting at DEF CON 29 used John Deere agriculture company to show that security bugs in increasingly connected farms could allow hackers to launch devastating attacks against crops, property, or even people.
In a presentation at the conference, ethical hackers from Sick Codes group warned about the dangers connected with digital and automated farming that makes the world’s food supply chain vulnerable to cyberattacks.
Modern farming is a high-tech industry that uses Wi-Fi, 5G, radio sensors, and big data to improve the efficiency and profitability of growing crops and allow farm operators to monitor and analyze their yields.
There’s a real fear that someone could take over the operation of these machines and harm them or the surrounding people, said Mike Goodman, a tech expert. Denial-of-service attacks could have a huge impact on harvests, and over-spraying with chemicals could poison farmland for years.
“All that needs to happen is for a hacker to upload “a firmware update that inserts an offset into the GPS locations used by the target,” the group said. “The target navigates itself into a highway, into a river, through a fence, over a cliff, or whatever. Target is destroyed.”
During the demonstration, Sick Codes was able to modify John Deere supply networks and equipment reservations. Hackers found a mis-configuration in the John Deere’s Pega Pega Chat Access Group Portal (CVE-2021-27653) that gave users admin credentials, which granted them access to the platform and allowed to find additional credentials and the original signature password and encryption certificate.
“We could literally do whatever heck we wanted with anything we wanted on the John Deere operations center — period,” Goodman said. “That’s where we pretty much stopped because we pretty much had the whole organization.”
Case, John Deere’s competitor company, also had plenty of security holes that can allow anyone to access sensitive information, according to Sick Codes. The team noted that its servers are also vulnerable to unauthorized access.
A spokesperson for John Deere said that the company’s security team has been in contact with the hackers from Sick Codes since April “and appreciated the opportunity to mitigate the issues brought to our attention.”
