Security

Researchers Found Multiple Server-Side Flaws in Agricultural Equipment Giant ‘John Deere’

By Bill Toulas / August 9, 2021

A team of researchers led by ‘Sick Codes’ have “audited” some of the largest agricultural equipment vendors in the world and found several critical server-side vulnerabilities that had the potential to expose the critical assets of John Deere, the Illinois-based manufacturer of a wide range of heavy equipment products, and information on users/customers of Case New Holland (CNH), one of the largest agricultural equipment vendors in the world.

The discovery of the flaws, the subsequent reporting, and the eventual fixing took place months ago. However, the group of researchers has just published more details on the topic given the opportunity of the DEF CON 29 hacker convention. A summary of the discovered flaws is given below:

The researchers provided a PoC (proof of concept) for each of these flaws, and the fixes came pretty quickly (in about a week). However, John Deere had no vulnerability disclosure program in place, and decided not to publish any details about the findings, how they may have affected the users of their websites and online services, and also for how long users remained at risk of having mission-critical or personal details leaked.

For a company that sells six-figure autonomous farm vehicles, lacking a solid cybersecurity and bug disclosure program is irresponsible, to say the least.

Source: Sick Codes
Source: Sick Codes

As ‘Sick Codes’ told us during a private discussion following the disclosure of the above:

Most security researchers have stories about strange responses they've from a vendor they've dealt with, even when conducting good-faith research, and reporting it in a totally normal manner. As an industry though, Agriculture is quite good at dealing with downtime, which is a great feature of the industry. For example, if the John Deere Operations Center was to go down for a few hours (like it did last month when Akamai went down), then a tractor will still work itself out once it "comes back into range" or "comes back online".

I totally understand and appreciate that autonomous farming is in fact still "emerging tech", giving John Deere the benefit of the doubt the whole way through. However, when the PR team releases statements that are contrary to what we published it feels like the vendor is totally discrediting what the entire team did for them (for free). I think they'll eventually "get it" and join the rest of the industry, like Siemens, Hitachi, Rockwell Automation, Mitsubishi, etc.

John Deere has since launched a vulnerability disclosure program on HackerOne and has already received 62 reports from 19 hackers. This means the future cybersecurity perspective for the firm and its clients is now much better, courtesy of ‘Sick Codes’ and his team, even if they never got a bounty for their reports.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: