Udderly Insecure: Researchers Spot Cow-Tracking Collar FlawsIoT Hackers Could Inject Data to Fool 'Smart' Farmers and Vets About Animal Welfare
Not even dairy cows appear to be safe from flaws in the internet of things.
See Also: Expel: Annual Threat Report 2024
As farmers deploy sensors to help more easily manage and monitor many different types of agricultural practices, a trio of University of Bristol cyber-physical security researchers warn that "smart" farming devices can sow digital security risks, unless they're protected using encryption and other too-often-missing security safeguards.
Farmers know their Holstein Friesians from their Jerseys or Guernseys but they have no way of knowing which agritech products are secure by design or how effective any security controls might be.
That's one takeaway from "The Internet of Insecure Cows - A Security Analysis of Wireless Smart Devices Used for Dairy Farming," a paper that lead researcher Sam Barnes-Thornton presented Sunday at the 5th Joint Workshop on CPS and IoT Security and Privacy in Copenhagen, Denmark.
The Bristol cyber-physical systems researchers studied a brand of cow-monitoring collars built to route information about animals' health to a receiver that feeds software monitoring tools. They reported being able to reverse-engineer the system's wireless protocols, which rely on unencrypted data, allowing them to send fake data to the receivers as well as monitor data being shared by the sensors.
Despite its rustic reputation, agriculture is on the forefront of networked sensor adoption. Insurance marketplace giant Lloyds and University College London in a 2018 study predicted a rapid rise in the adoption of IoT devices by farmers to better manage yields - "through a combination of soil, weather, and machine sensors" - backed by big data and the use of artificial intelligence to spot patterns and help refine practices.
That embrace of technology hasn't been matched by awareness of cybersecurity risks. Researchers continue to find and report serious security vulnerabilities in agritech devices. In 2021, a researcher found flaws in farm management software built by John Deere that he said would have allowed an attacker to remotely alter the quantity of chemicals being released from an attached sprayer or to drive the tractor into obstacles or rivers, although the tractor giant disputed those findings (see: Flaws in John Deere Systems Show Agriculture's Cyber Risk).
Bristol researchers warned such eavesdropping could allow an attacker to harvest the animals' health data, although this appears to pose minimal if any risk.
Injecting data into the cow-monitoring software could have "more severe" repercussions, they said. "The attacks result in incorrect information being presented to farmers and vets," they said, while emphasizing that the attack didn't directly affect the animals.
"The activity data is used to monitor health and in particular is used as part of heat detection to allow optimal breeding of animals," they said. "Falsifying this data could lead to farmers and vets losing the advantages that such monitoring systems provide, resulting in a loss of income in a sector with very tight margins."
The U.K. government regards food supply - including domestic agriculture - as being one of 13 sectors comprising critical national infrastructure. About 69% of land in the U.K. is used for agricultural purposes and as of 2021, the U.K. was producing about 54% of the food appearing on household plates.
Whether or not malicious actors would attempt to inject false data into a dairy-monitoring system, the research highlights that no safeguards prevent them from doing so, when such safeguards could have easily been built in.
The researchers said they had reported the "relatively simple vulnerabilities" to the manufacturer in March and that the manufacturer had responded the same day and said future versions of the device will encrypt all data - although when this might happen remains unclear. Existing collars cannot be updated; only replacing them would give farmers a more secure version. "Because of this potential delay, and due to the potential risk to animal welfare, we have decided to withhold details of the vendor and products in this paper," they said.
The researchers found a stopgap security technique that could be used, based on each collar counting every transmission and assigning it a unique, incremental number, which could serve as a rolling code. "If data is injected with an unused counter, then eventually the collar will transmit a legitimate packet with the same counter," they said. "If the system detects duplicate counters, then an alarm can be raised indicating that data may be being injected into the system."
Researchers said the manufacturer lacked an agritech bug bounty or vulnerability disclosure program - although it had them for other lines of business - and they described this as being typical of an industry that from a cybersecurity standpoint still "lacks maturity." They called on all agritech vendors to create clear ways to report vulnerabilities in their products, given the certainty that more serious flaws will be found.
Cybersecurity warnings centered on the agricultural sector aren't new. The FBI in 2016 warned that greater adoption of smart farming - meaning, using digital data to underpin more efficient agricultural practices - could trigger a rise in online attacks against the food and agricultural sector.
Physical Theft Concerns
Hackers gaining remote access to farm management software could allow them to enumerate the equipment on any given farm, to help them steal it, Manchester, England-based consultancy NCC Group warned in a 2019 report, adding that hacktivists could also pose a threat.
For farmers, "data privacy, physical theft by organized criminal gangs and concern about animal welfare activists are key concerns," the report says. "There is a significant level of agricultural vehicle theft, with equipment being targeted by organized criminal gangs and sold abroad." Ransomware also remains a threat.
As the agricultural sector adopts more digitized practices, NCC Group said ensuring the cybersecurity of automated operations - including autonomous ground vehicles being used for farming and automatic milking parlors - remains essential.