Announcement

Collapse
No announcement yet.

Welcome to the Farm Hacking community!

Collapse
This is a sticky topic.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Welcome to the Farm Hacking community!

    This forum is the result of MadameHoneyPot mentioning on Twitter about wanting to look at tractors in real life. That lead to past thoughts that EdwardPrevost and SecureSun on Twitter had almost 4 years ago about looking at the whole Farm ecosystem of sensors from Tractors to moisture sensors, drones, soil and air testing probes, etc.

    I'd love to help get like minded people together and start a community around this. a couple points!
    • We can name this whatever we want, I just had to put something down to create the forum
    • I am looking to others to take charge and help start organizing. I will be able to lend support, amplify, and coordinate some but I has to be from the community and just just DT pushing it.
    • As topic areas are proposed or make sense we can create sub-forums to focus on them. The first example I created was for Tractors.
    There are a lot of things we could do, from just acting as a article repository for news and white papers about the topic, to forming groups and posting pictures, videos and code on our efforts.

    I have created a new Article Category for Farm Hacking located in the Articles section. People can post there articles and research papers both here and there, and we will try to keep it organized. It can act as a mini-library.

    So welcome, jump in, and feel free to post your research and ask questions.

    The Dark Tangent
    Last edited by Dark Tangent; 2 weeks ago. Reason: Added a link to the new Farm Hacking section in Articles
    PGP key: dtangent@defcon.org valid 2020 Jan 15, to 2024 Jan 01 Fingerprint: BC5B CD9A C609 1B6B CD81 9636 D7C6 E96C FE66 156A

  • #2
    One aspect of farm equipment hacking has a lot in common with iPhone repair and even Boeing making some safety features an extra charge.

    Organizations that are able to commoditize service and features even for maintenance and repair "only through authorized entities" are following the old system that IBM had in place when they had enough of a market share to impose restrictions on support and service to only official IBM equipment.

    At one time, farmers (around the world) were not denied freedom to repair and improve the equipment they buy. Now, features possible to describe in hardware are turnkey features to purchase licenses for to enable. People finding or building other code which claims to do the equivalent was claimed illegal by tractor companies.

    Much of it stems from businesses looking to manufacture stable revenue streams:
    * Printer toner/ink purchased periodically: https://www.zdnet.com/article/hp-jus...-its-printers/
    * Microsoft attempted license subscriptions for MS WIndows, and has them for versions of Office.
    * Keurig devices and a push to only allow official replacement "k-cups" : https://www.wired.com/2015/05/keurig-k-cup-drm/
    * John Deere: https://www.bloomberg.com/news/featu...00-000-tractor

    Hacking and farm equipment stories are likely out future with cars as they become more like smartphones. Consider features in Tesla , which are shipped as-is with hardware that supports it, but disabled in software. Hacking and farm equipment are good topics to prepare for a future where automotive hacking could take us.

    How to get farmers interested in hacking to join and discuss hacks and how much advertising of firmware from Russia, or China, or Czech Republic or South Korea? The forums I've seen farmers into hacking farm equipment use tend to be forums setup by the creators of the software they use on their equipment. Do any of those forums delete complaints or unhappy replies? If censorship is a thing with vendors, having a space less likely to delete negative reviews might work, but at the cost of suffering links and ads to various sites with fake reviews.

    If we make the content not public to avoid SEO spam bots, search engines can't find it for users to find it.
    6: "Who is Number1?"
    2: "You are number6"
    6: "I am not a number!..."

    Comment


    • #3
      Hi. Iā€™m just here to transmit gratitude for creating this forum šŸ™ and to share this excellent work by David Bollier šŸ”„ ā€”> https://www.resilience.org/stories/2...urce-solution/

      Comment


    • #4
      Here is also a link to some research done by a group at California Polytechnic -

      *my internet is buggy so forgive me if the hyperlink doesn't work but just copy/paste it*

      https://github.com/TractorHacking

      Comment


    • #5
      Just a few thoughts for now. Very interested in this getting some airtime as it's a topic I'm pretty close to.
      I'll make a diagram that may be useful, over the next few days, describing the available surface, and some of the common technologies used in Ag.

      From the discussion on twitter, I see a few major areas people are concerned about:
      1. R2R: giving farmers the ability to fix their own equipment.
      2. Unlocking pay-to-play features
      3. The security of the modern connected farm, and impacts of potential exploits.
      Researching 1 & 2 probably carry the most legal risk right now.

      Prior work at DEF CON:
      https://www.youtube.com/watch?v=M5S2...FCONConference
      https://www.youtube.com/watch?v=ImO3QSFxLak&t=5m20s


      Useful technical info:
      A lot of Ag technology is driven by on and off road trucking and construction. Many systems from most manufacturers, use LIN (least common), CAN, and ISOBUS. On top of CAN, most machines will layer ISO J1939 for diagnostic capabilities. This ensures consistency in diagnostic messaging via standard formats. The most recent round of machines (while some still supporting J1939), are moving to a standard called UDS (ISO 14229). IIRC both require at the physical layer a diagnostic connector called a deutsch HD10-9. It's easy enough to splice into the bush and use any good, hobby grade can-usb device though.
      Many of the dealer service tools provided by the manufacturers use ODX/OTX to perform testing and FW flashing which are also covered by ISO standards.
      Importantly, a lot of implements are connected to the machine via a bus technology called ISOBUS


      The modern machine:
      It's not uncommon for a modern mid-tier machine to have: multiple long range data communications (2+ cell chipsets, + satellite connectivity), short range comms (wifi, bluetooth, 433MHz, 833Mhz etc. ) Multiple touch capable glass screens, self steering, automated implement controls, better than inch accuracy GPS, and may be hauling hundreds of MB of data to a backend about planting/application/harvesting. Many will have > 100 ECUs (defined here as things that need to be flashed), that run a mix of light weight embedded C or C++, to full linux installs with all the bells and whistles.

      A lot of the ECUs are supplied by big companies like Bosch, Dickey John etc. Many more are supplied by smaller companies that only play in the ag space, or ag and construction.
      From a HW vulnerability, a lot of them aren't great: exposed serial, jtag, spi etc.
      Some manufs. are better than others at encrypting images, securing their update process, and signing FW.


      Finally, this stuff IS available if you want it. A quick sweep of ebay shows JD telemetry units readily available:
      https://www.ebay.com/itm/John-Deere-...YAAOSw95BbxL4d

      https://www.ebay.com/itm/John-Deere-...wAAOSwVQhgISmm

      https://www.ebay.com/itm/John-Deere-...EAAOSw1ZpgIXxD

      Last edited by L.P.; 1 week ago.

      Comment


      • Dark Tangent
        Dark Tangent commented
        Editing a comment
        Great post, thank you for the links. I've started a new thread for Video Library of links to related talks people may want to learn from.
        I like the eBay links too, DEF CON may want to get into buying and holding onto the gear for an in-person hacking experience.

    • #6
      This ISO standard pertains to not just Deere tractors but all tractors and heavy farm equipment!

      https://www.iso.org/standard/71171.html

      I linked this as well in the Deere sub-forum but just in case I figured I would post it here as well *Forgive me if this is unnecessary and repetitive. I just wanted to post it in both places since it pertains to more than just Deere tractors

      Comment


      • #7
        Originally posted by Ā„ungCastr0 View Post
        This ISO standard pertains to not just Deere tractors but all tractors and heavy farm equipment!

        https://www.iso.org/standard/71171.html

        I linked this as well in the Deere sub-forum but just in case I figured I would post it here as well *Forgive me if this is unnecessary and repetitive. I just wanted to post it in both places since it pertains to more than just Deere tractors
        You want just part 2, or parts 1-11 ?

        The ISOBUS I mentioned above is a software stack that conforms to 11783, that many manufacturers use.

        It's governed and maintained by the AEF:
        https://www.aef-online.org/home.html

        Comment


        • #8
          Originally posted by L.P. View Post

          You want just part 2, or parts 1-11 ?

          The ISOBUS I mentioned above is a software stack that conforms to 11783, that many manufacturers use.

          It's governed and maintained by the AEF:
          https://www.aef-online.org/home.html
          All the parts would be great! haha that was just the first link I found pertaining to it and didn't think to reference the full standard which is here for anyone curious or able to obtain it's contents for research. Please feel free to quote this if anyone finds more info and I'll add that to this!

          1: General standard for mobile data communication
          https://www.iso.org/standard/57556.html

          2: Physical layer
          https://www.iso.org/standard/71171.html

          3: Data link layer
          https://www.iso.org/standard/71172.html

          4: Network layer
          https://www.iso.org/standard/50577.html

          5: Network management
          https://www.iso.org/standard/74366.html

          6: Virtual terminal
          https://www.iso.org/standard/71173.html

          7: Implement messages application layer
          https://www.iso.org/standard/59380.html WILL BE REPLACED BY: https://www.iso.org/standard/78295.html *Not yet though*

          8: Power train messages
          https://www.iso.org/standard/39123.html

          9: Tractor ECU
          https://www.iso.org/standard/54390.html

          10: Task controller and management information system data interchange
          https://www.iso.org/standard/61581.html

          11: Mobile data element dictionary
          https://www.iso.org/standard/57849.html

          12: Diagnostics services
          https://www.iso.org/standard/71184.html

          13: File server
          https://www.iso.org/standard/56765.html

          14: Sequence control
          https://www.iso.org/standard/43984.html
          Last edited by Ā„ungCastr0; 1 week ago.

          Comment


          • #9
            L.P.

            What would be the value in the eBay ECU units? Are they just a gateway to talk to the mother-ship, so the hacking goal could be to MitM the communication to make the unit think it's talking to home? What would the hacking goals be with them?

            Originally posted by L.P. View Post

            Finally, this stuff IS available if you want it. A quick sweep of ebay shows JD telemetry units readily available:
            https://www.ebay.com/itm/John-Deere-...YAAOSw95BbxL4d

            https://www.ebay.com/itm/John-Deere-...wAAOSwVQhgISmm

            https://www.ebay.com/itm/John-Deere-...EAAOSw1ZpgIXxD
            PGP key: dtangent@defcon.org valid 2020 Jan 15, to 2024 Jan 01 Fingerprint: BC5B CD9A C609 1B6B CD81 9636 D7C6 E96C FE66 156A

            Comment


            • #10
              Originally posted by Dark Tangent View Post
              L.P.

              What would be the value in the eBay ECU units? Are they just a gateway to talk to the mother-ship, so the hacking goal could be to MitM the communication to make the unit think it's talking to home? What would the hacking goals be with them?

              Those were just an easy example (tabs at hand, as I was already looking), most other ECU's are available.
              WRT gateways specifically, yes for MiTM, but also machine control. Gateways for most mfg's are attached to the CAN bus or at least bridged to it. In the same sense as cars, if you are in the gateway, it is possible to issue steer/throttle commands remotely depending on specific machine architecture.
              Outside that, it could be possible to do things like taint "as applied" numbers of chemicals, which in some regions are reported to government entities to ensure compliance with chemical and pesticide laws.
              Planting, and yield information flows through them. It's also possible to identify specific workers and get into some GDPR issues.

              My thought's on the above:
              The R2R part is fascinating, and interesting.
              As national infrastructure, the Ag sector is one of the CISA critical infrastructure sectors, but at a large scale doesn't get the same funding, initiatives, or spotlight as other concerns like water, power, finance. The products involved (baring some upcoming EU legislation + GDPR) are also completely unregulated in a security sense. In the same vein as we can be helpful in securing elections, there is a massive space to be useful in helping secure the global food supply.
              Gateways are a good entry to that, as a lot of them are pretty much consumer grade IoT devices.

              Comment


              • #11
                Originally posted by L.P. View Post

                Those were just an easy example (tabs at hand, as I was already looking), most other ECU's are available.
                WRT gateways specifically, yes for MiTM, but also machine control. Gateways for most mfg's are attached to the CAN bus or at least bridged to it. In the same sense as cars, if you are in the gateway, it is possible to issue steer/throttle commands remotely depending on specific machine architecture.
                Outside that, it could be possible to do things like taint "as applied" numbers of chemicals, which in some regions are reported to government entities to ensure compliance with chemical and pesticide laws.
                Planting, and yield information flows through them. It's also possible to identify specific workers and get into some GDPR issues.

                My thought's on the above:
                The R2R part is fascinating, and interesting.
                As national infrastructure, the Ag sector is one of the CISA critical infrastructure sectors, but at a large scale doesn't get the same funding, initiatives, or spotlight as other concerns like water, power, finance. The products involved (baring some upcoming EU legislation + GDPR) are also completely unregulated in a security sense. In the same vein as we can be helpful in securing elections, there is a massive space to be useful in helping secure the global food supply.
                Gateways are a good entry to that, as a lot of them are pretty much consumer grade IoT devices.
                I think y'all might find this fun to look at until we can get our hands on one of the units.

                https://www.ebay.com/itm/John-Deere-...YAAOSw95BbxL4d :

                FCC's breakdown
                https://fccid.io/OV5-MA4G

                Comment


                • #12
                  Here is some preliminary info we gathered on a JD OEM ECU https://tractorhacking.github.io/doc...gineering.html
                  One thing to note is that to the best of my knowledge these ECUs come blank and need to be flashed in order to get the firmware.

                  Comment


                  • Ā„ungCastr0
                    Ā„ungCastr0 commented
                    Editing a comment
                    This is awesome! excited to learn more :3

                  • Dark Tangent
                    Dark Tangent commented
                    Editing a comment
                    "
                    Future Reverse Engineering Work
                    JTAG attack on the ECU

                    Upon investigation of the ECU board it was noted that there may be JTAG or similar debug pins exposed that have been previously accessed, likely during the remanufacturing process. These are pictured below:

                    ECU main board with pads circled
                    Injecting debug commands into the CAN network

                    The J1939 spec specifies a number of debugging commands that can be injected into the CAN network to receive back certain information. It is likely that this is possible using no more specialized equipment than our SparkFun RedBoard and CAN-BUS shield. However this avenue has not yet been investigated.
                    Intercepting and filtering CAN packets

                    If it is determined that certain packets are being used to filter system messages the lack of integrity checks or encryption (similar to unencrypted UDP) on the CAN network would allow a physical device to be placed in between a control unit, like the ECU and the rest of the network to intercept and filter packets that cause the vendor lockdown.
                    "

                • #13
                  I'm so happy to see this forum starting the same day I have accepted to start working officially on IIoT Smart Farming Security. Looking forward to learning and contributing to the field!

                  Comment

                  Working...
                  X