Remote bricking of Ukrainian tractors raises agriculture security concerns

Against the backdrop of horrific reports from Russia’s Ukraine invasion, an encouraging story emerged earlier this month when unidentified Ukrainians remotely disabled tractors worth $5 million that Russian soldiers in the occupied city of Melitopol stole from Agrotek-Invest, an authorized John Deere dealer. The soldiers stole 27 pieces of farm machinery and shipped them primarily to Chechnya, 700 miles away, only to discover they had been rendered inoperable due to a “kill switch.”

The dealership tracked the machinery using the tractors’ embedded GPS technology. Although the equipment was reportedly languishing at a farm near Grozny on May 1, one source said the Russians had found consultants who would try to bypass the digital protection that bricked the machines.

Some observers fear that malicious actors could exploit the same technology Deere and other manufacturers use to update and monitor farm equipment. If successfully accomplished on a large-enough scale, a cyberattack could disrupt significant portions of what has become critical agricultural infrastructure.

Modern tractors are intelligent machines

Farm equipment, including machines made by industry titan John Deere, evolved starting in the 1980s from old-fashioned analog tractors, combines, and so forth into digitally connected intelligent devices that produce treasure troves of agricultural data. For example, modern tractors became equipped with “torque sensors on the wheels that measured soil density, humidity sensors on the undercarriages that measured soil moisture, and location sensors on the roof that plotted density and moisture on a centimeter-accurate grid.”

What enabled the kill switching by the Ukrainian dealership is something that initially began in the auto industry called vehicle identification number locking or VIN-locking. VIN-locking enables only authorized technicians to enter special codes to work on a machine’s internal network. Deere’s use of VIN-locking became infamous when the tractor maker decided to deny farmers access to the computer software running their machines so they could make repairs. The company argued that farmers had no right to access their proprietary code.

Tractors fueled the right to repair movement

This refusal gave the “right to repair” movement in the U.S. steam to demand changes to the Digital Millennium Copyright Act (DMCA). The idea is to require John Deere and other equipment makers to provide access to “the same agricultural equipment’s diagnostic and repair information made available to the manufacturer’s dealers.” Deere has vigorously opposed this notion.

Due to this stalemate, American farmers began purchasing cracked Ukrainian John Deere software, including diagnostic programs, payload files, and electronic data link drivers. (As it turns out, Ukraine has a historical affinity for tractors dating to around 1930. Back then, the machines became “game-changers” that elevated peasant farming to “a steel bastion of the collectivization of agriculture” during Stalin’s forced collectivization of agriculture.)

In 2015, the U.S. Copyright Office approved an exemption to the DMCA that allows modification to “computer programs that are contained in and control the functioning of a motorized land vehicle such as a personal automobile, commercial motor vehicle, or mechanized agricultural vehicle … when circumvention is a necessary step undertaken by the authorized owner of the vehicle to allow the diagnosis, repair, or lawful modification of a vehicle function.” However, farming right-to-repair advocates consider this exemption to be too narrow.

Hackable tractors are vulnerable to sabotage

At least one right-to-repair advocate, Kevin Kenney, argues that equipment makers’ remote control over vehicle software makes farmers and the food supply vulnerable to sabotage. In 2016, the FBI and the U.S. Department of Agriculture issued a bulletin warning that “the Food and Agriculture (FA) Sector is increasingly vulnerable to cyberattacks as farmers become more reliant on digitized data.

That warning, however, focused chiefly on ransomware and the prospect of threat actors stealing farm-level data in bulk “to exploit US agriculture resources and market trends.” But the warning is consistent with one security researcher’s test earlier this year when he could remotely access the data of 25 Teslas simultaneously by exploiting a bug in an open-source logging tool.

At least one tractor maker, AGCO, was forced to shut down production earlier this month when a ransomware attack hit it. But stealing data from tractors or even shutting down a tractor manufacturer’s plant is a far cry from reaching out to tractors across the nation and shutting them down en masse.

Could a malicious actor hack and disable tractors?

With the remote bricking of the Ukrainian tractors, the question now arises: Could malicious actors disrupt a nation’s farming and the food supply by hacking into many tractors simultaneously and disabling them?

Writer and activist Cory Doctorow thinks so, at least to some degree. Given what he contends is Deere’s “dismal” infosec, “the tool that Deere used to brick all those stolen tractors in Chechnya is potentially available to even moderately skilled hackers who exploit Deere’s reckless decision to build kill-switches into its equipment and its negligent security,” he wrote.

Farming expert John Fulton, Professor of Food, Agricultural and Biological Engineering at Ohio State University, thinks the only way hackers could cause damage to farming in any significant way is to hack the big equipment manufacturers. Even then, the threat actors would have to attack farm-by-farm, a relatively inefficient way of bringing a nation’s agriculture down, he tells CSO.

“If they’re going to attack the farm, they’re going to be attacking one of those large companies to get to the farm,” he says. On the whole, Fulton thinks the ability to track down and disable stolen farm equipment is a good thing. “If someone stole your vehicle, you would want to have the opportunity and hope to get it back. So, if the GPS and the connectivity allow that to happen because someone was doing evil, then I think that’s a positive benefit of the technology,” he says.

Fulton visited Ukraine 30 years ago to build back their infrastructure and expand their infrastructure for agriculture production following the collapse of the Soviet Union. At that point, the farmers were using “dilapidated and old equipment,” he says.

It doesn’t surprise him that the dealership took the effort to disable the stolen tractors or that Ukrainian farmers value their machines so highly. “They recognize what the value of that is to their operation today versus what they had back in the eighties.”