SecurityLedger.com published an article about Farmers using Jail-broken diagnostic software for their Tractors. Apparently, some Farmers are frustrated at the high cost associated with a house call from Certified John Deere Technicians to diagnose problems with Tractors; so much so, that apparently these Farmers are frequenting websites to obtain Jailbroken John Deere Software, (from an Eastern European source), that would allow the Farmers to interface with the tractor diagnose the problem themselves.
This is bad. Jailbroken software has a high risk of compromise because the user cannot verify its integrity. The same entity who jailbroke the connector/software could have tampered with it to add some extra “features”; or a third party could download the Jailbroken software, modify it and re-upload it with a rootkit pre-installed for anytime access.
This article from Wired, mentions a “Tractor hack” by obtaining a laptop from a friend of a friend with the Vendor Connectors and Jailbroken Software pre-installed. Hmmm. I wonder where that came from? Yeah – so if I wanted to have a Tractor-bot that I could control, I might write some software and release into the wild. Yeah -so point being . .That laptop itself could be the backdoor to all kinds of badness and infect every piece of Equipment to which it connects.
You get it. Installing or using Jailbroken software to interface with a Tractor or Combine is introducing BIG RISK into a BIG MACHINE. What kind of risk are we really talking about? What does Combine software even do?
Looking in the cab, there are on dash displays of Tillage and Speed Maps – Field Boundaries and Freeform Zones – so an attacker could “re-draw” the field to encompass any area he/she would wish; or remove physical boundaries. CROP CIRCLES! Looking at the rest of the tractor, at a minimum, the software would control a vast array of sensors which relay data about the various moving parts, ( tiller speed, motor rpms, heat, oil pressure, etc ), some of which visible from the cab – where other readouts only the vendor can read.
Newer farming machinery would most likely employ more software controlled actuators. Actuators control the independent physical mechanisms (on/off/variable speed) of a machine with a control signal. It is not too far of a leap then if you think about the architecture behind the components of Stuxnet that were designed to spin centrifuges faster; and then replay bogus sensor readouts to the operators thats reads ‘all systems normal’; that same methodology could be used to control software actuators of farming machinery and injure human beings.
I’ll admit it’s a stretch, but it’s possible. Jail-broken software is sketchy, people – and when you are dealing with a 30,000 pound Combine, you just don’t install software that has not been verified through the vendor. I understand the John Deere service call is expensive. The potential alternative is way more expensive.
Stay Safe and Farm on!