 Good afternoon, everyone. Welcome to the Agricultural Data Arms Race. I'm your host, SickCodes, and today we'll be exploiting a tractor load of on the abilities in the global food supply chain in Good Faith. So I just want to start off with a quick photo. It's from about the 1960s, and it's a farmer using a hand tractor. This is a hand-operated tractor, as you can see. Compare that with the brand new John Deere 7450 ProDrive Autonomous Forage Harvester with GPS sensors all over it, a chainsaw pretty much at the front and weighing over 10 or 15 tons. So this is a monster of a device. Like I said, it's autonomous, so it can run off on you if you haven't seen the wrong hands. So I just want to start by saying none of the research today was paid for. It's all done in good faith, and nothing today represents me or any of the people involved, our employers, past employers or future employers. We're not under any gag orders. The only thing we are sort of weary about is vulnerabilities that we can't mention that we would like to mention that's still going with some vendors, and all the content in these slides is Creative Common Zero, apart from any other stuff that relates to other brands, and in that case all trademarks, logos, and brands belong to them, and then remain the property of their respective owners. Just quickly on myself, I'm a good hack-a-man. I've got a GitHub, a Twitter, a newly built LinkedIn, I've got a couple of massive projects. My biggest project is probably Docker OS X, 15k stars on GitHub, and 100k Docker pools. So pretty much just QAMU, macOS, but you can do a lot of stuff with it, including iMessage, for security research purposes only. I just want to start by showing you a quick map, emphasizing the amount of brown little spots all over the place, and what these are, if you don't know already, which a lot of you might know, is at farms. You can actually zoom right into those farms, and I don't want to obviously dox anyone, but if you were able to access all those farms, you would be able to do things like overspray chemicals under the field. So if you were able to overspray chemicals on the field, you could permanently deny of service to that farm by simply overspraying one season, by literally loading up the fertile ground with too many chemicals, and then the next year, or even the next 50 years, it will be unfertilized or unsuitable ground for use. So you could permanently deny service to a farmer's crop by literally a few lines of malicious code. So that's what I'm trying to get out here, that denial of service is a huge impact for the agricultural industry in that so for example, coming to harvest season right now is winter wheat harvest for some farmers, depending on where you are in the US, but you can actually deny service to those farmers, and that also occurs during seeding time or planting time and also spraying time. Any one of these parts of the supply chain of food and ag, every single one of those parts needs to be on 99.99999 SLA. If it does go down, farmers will tell you that they're pretty much screwed for that season and they can lose crops and some of the crops cost hundreds of thousands of dollars and if that information or the login details or something like that was provided to a third party, aka state actor, they could do something like a malicious update to the tractor, they could play with the ECU, they could send it to overdrive, they could drive it at the wrong location, they could send it into plant the wrong field. Most disturbingly, one of the guys who mentioned this on my blog earlier is that they could offset the tractor by x amount of degrees or coordinates and actually drive the tractor onto the highway into a river through a fence and another example of permanent drive service. So what we consider you know downtime at a website for five minutes might be the difference between tractor driving, auto track goes off, tractor keeps driving, tractor hits tree, or it just someone. And the big question here is why did we actually start looking at agriculture and why is it such a big issue and why didn't a lot of people start looking at it? The main reason was that nobody else was actually looking at it. So that's probably the biggest reason and the biggest reason that I started looking at it was someone who I know very well named Paul Roberts from the security ledger mentioned to me that hey it's really weird that there's no CBEs in John Deere's products. They go what does John Deere actually have? And then I thought about it for a bit and did a bit of research and he introduced me to a couple of guys. One of the guys namely the first guy that I met was Willie Cade and his grandfather was actually the board of directors at John Deere and his grandfather actually had a patents with John Deere and that was including this manure spreader that's down there in the bottom left and Willie's obviously knows a lot about farming and a lot about the history of the activities of some of these farming companies and all the way through to a fully autonomous GPS controlled mother load of just steel and aluminium and danger and also the emphasis on relying on all this equipment to feed every single one of the people in the world and not just that but also feed you know all sorts of different industries biofuels, biogas, carbon emissions etc. The second guy that I was introduced to is Kevin Kenny who's a big right to appear enthusiast as is as is Willie. Kevin lives in Nebraska he's an engineer and a farmer. This photo is from a Bloomberg article that he did in relation to how John Deere is screwing over a lot of farmers and you can see kind of the get sort of the gravity of what's going on by the size of the wheel that he's sitting in. These aren't ordinary wheels you know they're not cheap to replace either. I'll just quickly breeze over the hackers we've got myself, Wabafet, Dawker Devil, John Jackson, John J. Hacking, Red Jaxx which is Robert Willis, we've got Werma, Chief Cooler who is a, he's currently MIA I don't know where he is, and Kelly Carrotis who also helped us see in our previous project. So every single farm is connected whether it be through 5G which is incoming obviously we have LTE 4G we've got 2G and 3G the older connections or slower connections. Laura works out in the field because there's no obstructions and everyone can actually communicate over long long distances and there's no obstructions usually on the farm. Obviously we have Wi-Fi, there's GPS involved, DPRS which is still involved in Ukraine and then we've got three different types of major corrections that I've mentioned called WARS, RTK and NTRRP. So WARS and RTK are radio based but then there's NTRRP which is kind of like NTP so they're basically ping based location information so pretty much pinging back to servers or Wi-Fi signals to be able to find your device based on triangulation of that of that ping time. This is a rough diagram not to scale in any way whatsoever but that's GPS and then we use GPS plus another one of those correction signals to actually triangulate the exact position of the device and you can imagine planting and not having that sort of accuracy we're planting every seed would be you know for example or every row might be dipping into the next row or the row before it and the data what does it do? Well it provides a price of corn. Corn is used in both ethanol production and it's also fed to cows to make livestock and other types of beef and pork etc but it's also used in ethanol and all that data is also considered somewhere another trade secret considering all the data that a farmer gets which is in the scene the top top left of the image that is actually the row with a overlay of the farm getting it's quite dark but it's an overlay of the farm getting planted onto and you can see that that data is technically a trade secret and who has access to that data because all that data at the moment as you can imagine is getting shoved back through a 4G or LT connection or until the farmer gets back into range it'll get sent back to the to the operation center which John Deere owns and that's called the John Deere operation center which we hacked into and we're going to take a bit. So the biofuel sector is a sector of the agricultural industry that relies on amassing carbon dioxide from the atmosphere and then burning it as biofuel biofuel and this is the winners of the peed background obviously and in the bottom it's been uses of vineyard at some point in time I don't know if it's the exact one that looks good other uses of the data include carbon credits the carbon offset market and a guy named Shannon Segwick who's a farmer in Australia turn managing director of a couple of ag security companies he mentioned to me this and I thought about it and looked into it a bit more and apparently it's mandatory in some places for example Australia depending on which industry you're in and it can be voluntary so if that data were to go missing okay so if that data was to go missing through some sort of attack then that would be catastrophic for that sort of government rebate based industry or mandatory industry now you can actually simulate this is my developer counter John Deere you can simulate those devices that I showed you earlier in the tractor cab so you can simulate for example a self-propelled propelled forage harvest and I'll give you an example of one now now this is one this is a big powerful probably 300 400 500 horsepower machine it just shreds eats up everything that it comes into contact with and that there gets used as forage which forage is usually used as feeding or by fuel or by mass and things like that and basically you can have a look at the big teeth on it it will shred anything that it comes into contact with that's the 9000 series it's got auto track so that will automatically drive and steer the tractor for you and will stay in line using auto track auto fuel it will automatically calculate how far it has to shoot the the auger and it's got a display it's the 4640 based on Yachto Linux which we'll get into later and it's covered in sensors and all this sort of stuff and it will automatically adjust and change speed and then it'll line up with the cart next to it grain cart make sure it's all lined up it's all autonomous and say the big yellow dome it's pretty small but it's on the top of the head of the tractor that's the gps unit I've got auto lock for staying in line and then all that data gets sent back to your windows 7 computer at home windows vista and that gets translated through to someone at windows 10 the john deere operation center someone manually handling the data we've got some awesome features like john deere connected support where someone out in the middle of a field in a undisclosed location can actually log into your tractor and control it remotely per se which is fantastic as you can see we've got remote access so we just remote into the tractor at any time and that includes staff members so there's two massive things I want to point out on that remote access display screen is that one you can send files to tractor two it was copyrighted 2014 so it's quite old and three you can remote access the tractor that's really important because what we'll show you soon is that we were able to manipulate this in some way and then john deere service support also obviously if there's a threat actor on the inside they could just automatically access anyone's tractor through the master dealer service admin portal which is fantastically set up so threat actors can do um little amounts of damage psychologically so then I just started to dip my feet in and basically I'm just going to quickly glance over the first vulnerability which was a username of all of your username enumeration one where I could obviously enumerate usernames based on that and I got the fortune 1000 I won't go into it because it's kind of boring but I got the fortune 1000 csv file submitted that as an api request um and got back 20 percent domains sorry 20 percent of those accounts being registered this is me adding pieces of equipment to my farm that I technically don't own for research purposes but I've just picked up these numbers from a auction website and there's a lot of data involved so all it will say is this this machine has already added a bit in the response there's a ton of data so all it will say equipment already exists and I've had to skip a little bit here because there's a lot of pii including first name last name lisi address line one address line two and everything like that and I've had to skip that obviously because it's pii so vice cover this writer named Lorenzo great guy he covered it you know story bugs allow a package to dox all john deere tractor owners so originally the article did say all but john deere apparently reached out to them as opposed to reaching out to us and said that it's only some tractors and the the actual conclusion there is it's only new tractors which is probably even worse so shortly after that uh hacker named wabafet reached out to me and told me he's got five xss vulnerabilities in in the john deere website and I asked him if he could reach out to me on signal we can have a look and that's when we found um his motives so I said to him there's a really funny comment where I said uh fuck doings for free where he said well at the end of the day I'd rather do this for free than loose food and someone's going to save their dumb asses and he obviously mentioned it's a john deere and he said that he's got vulnerabilities to report and we try to report it to john deere so we got so we were granted safe harbour which means we can do whatever the hell we want um as long as it's in good faith and they'll and they won't do anything in terms of legal uh issues so once you click that link it brings you to their website and that allows you to submit a form and then that form gets you onto their hacker one program of which I was the first researcher in and I've now since left the program because it's a nda program there's no bounties they've got swag apparently now which I don't give a shit about because I don't want to give my address to them uh but here's the first vulnerability the xss so basically it's just a dom based xss which I'll get into later but this is just me pretty much showing you um the xss obviously xss is a really basic vulnerability but what it does show you is that they they're not taking consideration basic vulnerabilities they're not taking into consideration the fact that somebody can just literally uh produce basic you know 2015 level xss on one of their major parts of the websites what would be my major is it's a supply network page and I could just log in as a guest or not even log in and we can also see the dev or qa part of the supply network which was even more exciting so this is the john dear supply network page where you can do the new functionality just supply a purchase order number and receive all the information back related to a purchase it's for suppliers only but we were able to access it of course and um as you can see here this is me just putting in a star and then the response apparently for some reason gives you a invoice number of zero one zero six which we then further used to try and enumerate other invoice numbers in some way and we ended up seeing that it's an IBM db2 database which I didn't have much knowledge about but what it did do in the response is give us a really nice constructed error message that shows the offending query um and showing that we're able to sort of inject it in some way because that was not the original query whatsoever and some more errors from john dear copyright 2011 and for some reason they still had the the 1999 version of that portal up with lots of cool different buttons we could press and the single sign on didn't work so I don't know why it was still up or we didn't test it enough but that should probably not be there as you can tell it's quite old uh john dear employee access which we obviously shouldn't be able to just enter it's the john dear university um that's the john dear machine book this is a really funny device actually this is the this is the place where you go to book machines demo units to provide to farmers like youtubers or something like that like influences uh or demo units to whatever and there's a little dom based xss that we've put in the bottom of the reservation page you can see there it's got the back tick and sorry there's got the double quote in the right arrow so not only that but we were able to book units expect units we're able to cancel appointments uh reassign tractors to certain locations which doesn't sound exciting but what we did do which was kind of exciting was we just injected the database and pulled out every single row for every single session but yeah we could see every demo unit that was ever provided and all the john dear's names email addresses that we used to book those units uh then we found something specific okay so this is what the this is the dear single sign-on sample edge server instruction read me file so john jackson and redjacks discovered a cbe in the platform named pega or pega and what it is is like a default admin credential style bug where if you don't change it you pretty much just give everyone access to your remote pega server that's what we did it's got a 6.6 for some reason uh and this gave it a 4.9 i'd probably give it a 7 or an 8 depending on um what the what the company is but in this case it completely destroyed integrity and confidentiality of john dear's one as you can see we had access to the single sign-on the SAML there's a john dear uh backup part there we've got the request approval we've got all sorts of cool stuff there's the edge server we got from there and then interestingly the from that information we've got some administrative uh pega credentials as you can see i've got to blur out the the password and the system id name and the time difference and all this sort of stuff just to make sure you can't i guess replicate it but it's the process pega commander uh secondly we've got a portal admin server data administrative account credential password here as well which is ridiculous that we shouldn't have this we've got a security audit log which we should be not able to view um and we could see our own selves in there and then pega admins logging in for some reason and then we had this gold piece of whatever the heck it is it is there it is their octa signing certificate i believe so what we've got blurred out is the id number that relates to their octa account we've got the kms which is there i guess it's the pega administrative administrative octa address url that goes to sign tokens etc we've got the original signature password blurred out uh we've got the prod symbol there so you know what's in use we've got the original decryption password also blurred out for obvious reasons with the signage certificate details and you can see clearly that it's john dea uh it's octa related and furthermore i believe let it out once for some reason and we'll get the single sign on the sable url related to john dea's side and then down the bottom we've got a decryption certificate and a beautiful expired out of 20 29 from this just backtracking this can pretty much allow us to upload files to any user login as any user destroy any farm run any farm off the road upload whatever we want download whatever we want destroy any data log into any third party accounts we could literally do whatever the heck we wanted with anything we wanted on the john dea operation center period and that's when we pretty much stopped because we pretty much had root on the whole organization and obviously we gave all this information directly to john dea in record time we actually had to get cc involved because they were not responsive and cisa actually took over for a bit and helped them remediate the vulnerabilities uh then we move on to the second manufacturer so case ih this is the last one we'll look at because we've only got 20 minutes and the other ones aren't actually fixed yet but case ih is probably the biggest competitor so it's case international harvesting plus new holo they all are malvemated they like to buy each other out and they're also super connected tractors it's the magnum series with a guess trimble display uh same sort of stuff but that's an android-based one fantastically again we've got remote access 300 miles away i think you can get access from a little bit farther away than that but your case ih dealer will be able to access your account remotely from just literally just your id of your account and that's the guy then i'll just mention this briefly because he's got 24 pens and he's a little pen holder i just think that's funny um but uh yeah he's controlling tractors um so worry about that this is the java melody server that we found with case ih yeah we could just browse the java melody server for your sessions this is all brazilian data for some reason i forgot to blur out his ip but uh basically he's a chrome user i've got his session id so i can obviously just you know replicate that session i could just log in as that user by duplicate just copying that session id in the top left that i've blurred out when there's a list of sessions and how old they are and all the attributes allowed to them or sorry attributes aside to them like you know username first name last name etc uh i'll just show you another user we're looking at here it's got the full name bottom right which i have to blur out obviously scope so what they're allowed to use um and then they've got the session id again and their ip address and this is all publicly accessible which is ridiculous and then the bottom of that java melody if you've used it before there's a couple of cool functions you can do all sorts of cool shit like invalidate all the sessions or execute the garbage collector or you can even reboot it which we accidentally did for research purposes only or we killed one process and then took a while came back on the next day um but uh yeah just by having that just as an example that was uh that's an example of a denial of service that was done in good faith obviously was accidental we can see a lot of stuff we can do with java melody first of all shouldn't be exposed second we shouldn't be able to invalidate everyone's sessions um and we shouldn't be able to see them either uh and then i'm just honing in on the invalidation there so we actually had a lot of hard time getting into contact with these companies i'm talking like we're talking like weeks to getting in contact with these companies absolutely ridiculous uh this is an email from this is an email that we sent in april printed out bound into a book by willy and delivered hand delivered to the john d headquarters because they wouldn't reply to us in any way shape or form just reminding them that we've identified a ton of risks mainly that we can log in as anyone in john d's platform and that that should probably get looked into and we hand deliver this one so this is a photo that willy took of the cnh headquarters up the road from his place in illinois and you can see there it's got security office so that's obviously where we dropped it off covid restrictions were in place so it was pretty hard to get in touch with someone there willy said but he eventually handed it off to someone who had no idea what they were doing with that um and we didn't actually hear back from them about this so we ended up getting through to them in the compliance portal weirdly enough but the only way to get in contact with case i rang them a few times they were extremely rude i put the i put the phone calls on my website they're hilarious they're actually like bizarre the way that they spoke to us but the way that i got into contact with them is through this weird link in their compliance and governance page called the cat cnh industrial compliance help line dot com so when you read it when you go to that website you get redirected to a third party called nabex global who's very popular in this sort of field um ethics point it's called where you can get in touch with a third party that will relay info back to the manufacturer and we ended up chatting to them and asking them you know is it safe to provide the reports over this channel they said we are case i said are you sure it looks like nabex to me but yeah apparently that actually worked and eventually we got in contact with them they fixed them and then we never heard from them again um just back on john dear and i'll just finish with this unit this is the mg4g lte gateway this is the brains of the device this is the brains of every tractor it goes on every tractor and apparently it goes on buses as you can see in the top left hand corner um this is a fully loaded device runs the opto linux certified in 70 countries whatever that means a full ip67 container so i can run in like snow or like super heat um it's got sim card it's got satellite connections it's got wi-fi connections it's got bluetooth connections um and here's what it looks like with the ip67 case all hooked up and it's what it looks like with a j regulator hooked up to it uh and we pretty much still haven't got access to this device it's proving to be a little bit difficult and actually spoke to the guy joe grand and made a j regulator about it and he gave me some pointers about it the easiest way to get around it would probably be just to ask john dear for the source code so that's what's ongoing at the moment apparently we're allowed to obtain a complete copy of the corresponding source code for the entire device uh which i've sent to about two months ago and i'm still waiting and apparently it's in the works and uh they've said to me that i'm getting it in a few weeks and i don't understand how it could take a few weeks to desanitize a source code project where it's someone prior to me he's probably has actually asked for this source code so they should be just on hand i don't really understand how it can take weeks to get a gpo requested and done and secondly it's available to anyone who receives this information so you don't even need it and apparently they were asking us for zero numbers and stuff and what's our zero number but i refer to the offer which says uh i refer to their offer which is valid for anyone in receipt of this information um what i found actually delving into this device is it's got a qualcomm chip in there and we all know that qualcomm has serious problems at the moment uh the mdm 9215 chip specifically along with about 70 chips that run that run uh like snapdragon and things like that uh pretty much a monthly cv roster for these devices like critical critical critical and high ones and so it says at the bottom there oems have been notified and encouraged to patch these issues so i'd say if you're not being encouraged to patch the issues you're actually insane because these are ridiculously vulnerable bugs you can see the top one there 2020 and the bug was actually published in middle of 2021 so it's a series critical vulnerability that there's not much information about but just patch patch patch um and i'll just say thanks for everyone for listening this was originally a 45 minute talk you can visit us on twitter we've all got different twitters we can google us and thanks everyone for watching and i hope you guys have a great end of your defcon and get involved with the farming industry it's not there's no barrier to entry it's a really cool industry to get involved with there's a lot of youtube videos about how things work and you can really find out some interesting stuff and get some value out of hacking uh farms because all the work that you do is pretty much used to feed everyone so fantastic and have a great night everyone and thanks for listening to the talk