Unauthenticated firmware rollback on Halberd Agritech soil controllers

Overview

The SoilSense HC-440 and HC-460 are ARM Cortex-M4 controllers deployed across precision-agriculture sites to schedule valve actuation and pump duty cycles. Updates arrive over a vendor MQTT bridge as signed images.

While the bootloader correctly verifies the Ed25519 signature on each image, it does not compare the candidate version against a monotonic counter. Any image the vendor ever signed remains permanently installable.

Root cause

Anti-rollback state was intended to live in a one-time-programmable fuse bank, but the production fuse-burn step was gated behind a build flag that shipped disabled. The counter therefore always reads zero, and the comparison `candidate_ver >= stored_ver` is satisfied by every release.

Because firmware 3.0.x contained an unauthenticated valve-override command (silently fixed in 3.1), an attacker can downgrade a fully patched unit and then exploit the reintroduced flaw — a rollback-to-pwn chain.

Impact

On a compromised controller an attacker can override scheduled irrigation, drive pumps to thermal cutoff, or suppress moisture alarms. At fleet scale this is a water-resource and equipment-integrity risk, not merely a nuisance.

Remediation

Halberd shipped 4.2.1, which burns the anti-rollback fuse on first boot and rejects any image below the stored counter. Operators should confirm units report `rollback_armed=1` via the diagnostics topic after updating.

Disclosure timeline

1. 2026-03-02Ghost Circuit notifies Halberd PSIRT
2. 2026-03-05Vendor acknowledges, assigns tracking ID
3. 2026-04-21Fixed build 4.2.1 enters field validation
4. 2026-06-09Coordinated public disclosure