How To Keep IoT Hunters And Poachers Out Of Your Food And Farms

A drone equipped to “sniff” Zigbee flew over an Austin neighborhood in early August and found almost 1,600 devices. It’s a sign of how ubiquitous these technologies have become, and how we use them every day — despite their vulnerabilities.

The experiment in Austin mirrored the Google Street View incident in 2011, when Wi-Fi sniffers exposed our home Wi-Fi connections.

As we connect more devices to our lives, I can’t help but wonder, can hackers hurt, hunt or poach our local food production systems?

Imagine the future where cities are growing 30 percent of America’s food. It’s not crazy: States like Hawaii are headed in that direction, and Americans produced 40 percent of their own local food in Victory Gardens during WWII. Locally grown food makes sense: to improve food nutrition and taste, to reduce pesticide use and alleviate greenhouse gases. When there are flash floods, hurricanes or disasters elsewhere, America can stay food secure by growing locally. Plus, hipsters like to do it.

Since 1969, America is actually a net importer of food — exporting $7 billion, importing $18 billion from countries like Mexico and China. In a climate and thereby resource-insecure future, growing food locally and in city warehouses by companies like BrightFarms in New York and AeroFarms in New Jersey will suddenly make a whole lot of sense to the masses.

But know: all locally grown food done this way uses connected sensors to automate and optimize the processes.

Because I see a future where every American city will be growing its own food, I’d like to know how connected gardens and small farms of the future can be built today to withstand hackers.

Can hackers hurt, hunt or poach our local food production systems?

Small-scale could simply mean keeping a small herb garden on your counter, but it also can mean growing an acre of food in a space as small as a shipping container or on your apartment roof in New York City.

I turned to three tech geeks I know to paint the future about what hackers can hunt, hack and poach from your food.

“Innovators,” says Andrew Erlick, director of hardware, design and technology at Indiegogo (previously Quirky), “should lean heavily on their online community in order to prevent any malicious attacks. When it comes to gardening, I’d envision a lot of collaborative learning taking place.

“Depending on the climate, seed-type, fertilizer, time of year, nutrient etc. the community driven connected garden should be able to produce the optimum growing recommendations.

“With this human element in mind, any sort of breach in security would be counterbalanced by thousands of watchful eyes. The database will be a living thing itself. If there is a breakdown in the process the combination of data-analysis and an ecosystem of gardeners should be able to correct the mishap, which in turn will lead to healthy growth,” Erlick explains.

Luke Schantz, a New York tech evangelist formerly from the Blue Man Group, tells me that future food grown in cities will need “massive networks of sensors for monitoring the environmental conditions. And, “possibly some modern robotic scarecrows to keep out the rats, pigeons, squirrels and of course crows from feasting on or nesting in the urban agriculture.”

How would he keep the hackers out?

System design. The system could be decentralized. Each node in the system could have solar energy panel, battery, on-board sensors and a micro-controller that reports data back to the system but does not require network connectivity or commands from a master control program to operate. So, if the servers are hacked or given a disruption of service attack, each node of the system will keep functioning on its own.

Don’t get pale or paranoid. Be prepared.

Data collection could be done with a system like Helium, where the reporting nodes are low-cost one-way radios. If the system had a master control agent or message cue, blockchain could be used to ensure that the control network is not compromised or hacked. This also could be used in updating the programing on each node in the system. This would ensure that corrupted updates or viruses were distributed to the system nodes (as the Stuxnet virus was distributed to the Iranian centrifuges).

Avoid mono-cultures. It would be interesting to grow a wider variety of food types versus the mono-cultures of the [conventional] agro industry. These cultures are supposed to be compilations of the best of many genetic lines. It seems like the potential for a targeted attack or natural plight against the mono-culture could be a significant security flaw.

Amichai Yifrach, CTO of flux, and a systems engineer for the military for 15 years, made me the most afraid. (Disclaimer: we work together at flux.)

“Being a hacker myself,” says Yifrach, “I can concur that every wireless (more than wired) connection is susceptible to attacks. So the answer to the question ‘is the threat real?’ is yes.”

He divides the threats into end-equipment attacks and server attacks as the main threats: DoS (denial of service) attacks in which the attacker does not do anything to your information, but prevents it from reaching the server, or an MITM (man in the middle) attack, in which the attacker gains access to the network and acts as a man-in-the-middle, pretending to be the Internet (the server) to the server, thus gaining access to the data packets flying between the connected device and the server.

For all attacks, the basic threat analysis formula is the benefit of the attacker versus the effort (time and money) required for the attack. Some agtech user might have valuable data, such as secret grow recipes for unique strains of plants, user ID, anonymity of the user or data on revenue-based ag-tech businesses.

If the above applies to your business, what can be done to protect yourself?

Yifrach suggests to “hire a full-time experienced hacker in your team who will conduct constant monitoring and pen-testing (penetration testing) of your system and periodically patch if required. This way you can stay ahead in this cat and mouse game.”

And observe these server-side protection techniques:

  • Have your own server rather than sharing physical hardware on public servers.
  • Build strong, well-designed security layers (physical and logical) that actively detects attacks and reacts accordingly.
  • Build a strong but user-friendly (mostly a contradiction in terms, if not well-designed) authentication protocol.
  • After the authentication phase, apply a cryptography layer to the data stream, so even if the first authentication layer failed, a second authentication and security layer can be applied using public/private key management techniques.
  • Have your database built and managed with security awareness (only an experienced hacker/pen-tester can design and maintain).

“I would gladly demonstrate how a virus I can put in our cloud server can slowly crawl out of its cage and gradually give me control of the entire machine (hosting servers from other companies) and also to the entire cloud service provider infrastructure,” says Yifrach, who is against shared server solutions: “All I need is a motive, time and money. So the bigger you get, the more attractive you get for large organizations to get their hands on your data.”

On the end-equipment side, Yifrach says CTOs can observe the following techniques:

  • Applying strong security to the home network is not plausible — so one needs to assume that both threats will occur.
  • Against DoS we can do nothing, because we are unable to manage the end-user home network. But one can apply a reconnection mechanism to end equipment (since DoS is not a permanent attack) while maintaining data logging techniques if data loss is critical.
  • Against MITM attacks, the third and fourth techniques listed on the server-side are applicable here too; the fourth is critical.
  • Using 3G or 4G communication devices (rather than Wi-Fi) makes the attacker’s life much harder, thus the system more secure (this may increase costs and require a service fee).

Yifrach, a white hat hacker says he “can demonstrate some things that will make you pale… and paranoid.”

As we lay the foundations for more locally produced food (see Edenworks) we can’t ignore the threats and potential hackers. Don’t get pale or paranoid. Be prepared.