A video recently went viral, showing the classic 90s video game Doom playing on the screen of a 4640 John Deere tractor’s display screen.
The video from the annual Las Vegas cyber security event known as DEF CON shows ‘Doom guy’ holding the steering wheel of the green tractor while driving through a field, with the words John Deere watermarked across the top of the display. While the image itself is quite innocent, its true meaning presents an important question to the Agriculture Industry, can you hack into the food system?
The presentation at DEF CON by an Australian hacker known as Sick Codes is one of the first public efforts to hack John Deere’s farming equipment, with the goal of the presentation to ‘jail break’ the 4640 John Deere tractor display.
‘Jailbreaking’ is a term to describe the removal of restrictions that hardware manufacturers have put in place to stop hardware owners from running unauthorised software on the device’s hardware.
Why is this viral act a cause for concern?
The ability to remotely install Doom and run it on a device shows how deep in the source code a hacker can gain access to and control the vehicle. Once this point has been reached, the hacker has conquered the device in terms of hacking; and has full control over the device.
John Deere said, “the hack, which involved physically accessing a unit that was not connected to the internet, did not put any customer or dealer’s equipment, networks, or data at risk”.
While this may be true, most farming equipment sold in Australia during the last 20 years relies on the technology built into it, and the operating system this equipment also relies on is of the same age. As more internet connected AgriTech is integrated into these systems, the risk of a hack increases.
As we equip our farms for increasing autonomy with sensors, artificial intelligence and robotics, cyber security threats become a real issue in food production. Protecting our Food and Agribusiness sector from cyber threats will require equipment manufacturers, third-party AgriTech developers, and farmers to implement new system controls and adopt similar cyber security standards to other industries to protect hardware and data from attack.
The AgriFutures “Cyber security threats” report, prepared by BDO outlines the scope of threats to Australian Agriculture and provides recommendations for embedding controls into businesses that self-manage their cyber security.
Attacking the 4240
To demonstrate this jailbreak, Sick Codes gained physical access to the 2630 and 4240 John Deere model terminal hardware. It took months for Sick Codes to find a bypass in the John Deere dealer authentication requirements and to make these exploits work. He soldered a custom controller directly on the board to bypass the system’s security protections. To start the exploit, he bypassed the dealer authentication process and commenced a reboot check to restore the device. By doing this, a terminal opened and acted as a certified merchant account; this privilege escalation allowed staging for further exploits. With greater privilege, Sick Codes could parse through the device's historical logs and discover another potential timing attack. These timing attacks existed on the unpatched Linux, and unsupported Windows CE systems run on the 2630 and 4240 terminals.
Sick Codes explains that eventually, it will be possible to greatly simplify this process by building a tool to perform it faster. It may take many months to find these exploits, but once discovered, they can be exploited at will until they are patched. Exploits like the ExternalBlue exploit the NSA discovered may go unknown to the public.
The John Deere systems are running old and depreciated WinCE operating systems. There are multiple publicly known exploits available in the public domain for this operating system which makes tractor systems running these operating systems vulnerable to cyber attacks.
Cyber security is a significant and growing threat to the Australian Agricultural industry; during the 2019-2020 financial year period, it was the sixth most likely sector to record a data breach.
We are already starting to see attacks on food supply chains in Australia. In July 2021, the JBS facility at Dinmore (west of Brisbane) and 46 other sites across Australia were forced to cease operations due to a ransomware attack.
So, it begs the question, how long does Australia have until we go from Denial-of-Service (DoS) attacks from ransomware, to DoS attacks from interrupting a tractor’s guidance system and sending it ten metres off course into a river or causing an autonomous chemical spraying tractor to spray inconsistently? How long before the attacks are not our banks and infrastructure facilities but our AgriTech?
Next steps for your organisation
As cyber attacks continue to increase in complexity and sophistication, it is important to understand what the potential cyber risks are in your systems and environment and implement appropriate cyber resilience so you can respond to and recover from a cyber attack as quickly as possible.
BDO’s Cyber Security team can assist with all layers of cyber security, consisting of risk management policies and strategies, all the way through to penetration testing and incident response planning. BDO is well equipped to support Australia’s agricultural sector and we can help you understand your cyber risks and implement cyber resilience strategies to minimise the impact of a cyber attack on your business. Contact one of our dedicated cyber security advisers today.