Bugs Allowed Hackers to Dox All John Deere Owners

john-deere

Image: Mark Hirsch/Bloomberg via Getty Images

Screen Shot 2021-02-24 at 3

Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.

A pair of bugs in John Deere’s apps and website could have allowed hackers to find and download the personal data of all owners of the company’s farming vehicles and equipment, according to a security researcher who found the vulnerabilities. 

There is no evidence that hackers exploited these flaws. The researcher, who goes by Sick Codes, reported them to John Deere on April 12 and 13 and the company fixed one of the bugs just three days later. The company fixed the second bug on Wednesday, according to the researcher, who published a blog on his findings on Thursday. 

Advertisement

Before the fixes, the vulnerabilities exposed a lot of personal data belonging to John Deere’s customers, according to Sick Codes.

“I could download the data of every owner of every single John Deere tractor in the world,” Sick Codes, who did the research along with Kevin Kenney and Willie Cade, told Motherboard in a phone call.

Sick Codes explained that thanks to these bugs he was able to see the vehicle or equipment owner’s name, their physical address, the equipment’s unique ID, and its Vehicle Identification Number or VIN, the identifying code for a specific car. 

“I could download the data of every owner of every single John Deere tractor in the world”

“How do you think farmers would feel knowing that John Deere was leaking their full name, company name, address line 1, address line 2, etc., or when the ‘subscription’ started for that device?” Sick Codes said. “Since [John Deere] was not rate-limiting those VIN lookups either, an attacker could have easily looked up every single [John Deere] vehicle over a day or two, effectively duplicating the entire database.” 

A John Deere spokesperson confirmed the existence of the vulnerabilities but downplayed their impact. 

“We were recently made aware of two code misconfigurations in separate online applications,” the spokesperson said in an email. “We immediately investigated, and the misconfigurations were remediated. Neither misconfiguration enabled access to customer accounts, dealer accounts, or sensitive personal information.”

Advertisement

Sick Codes said that the claim that the bugs did not expose customer information is “a lie.” 

“I could see sensitive [Personal Identifying Information],” he said in response to John Deere’s statement. “The fact that they’re trying to discredit me just shows how incompetent they are.”

Do you reverse engineer apps? Or do you do any other kind of security research? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, lorenzofb on Wickr, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com

A recent Forbes article dug into John Deere’s history—or lack thereof—of software vulnerabilities.

“One thing the company doesn’t have? A software vulnerability in any of its products – at least one that the company has disclosed to the public,” the author wrote.  

That’s not the case anymore. 

Sick Codes said that the first vulnerability allowed anyone to list all usernames on the John Deere Web Portal. 

“A remote unauthenticated attacker can simply remove the cookie from the original request and replay an unlimited volume of username availability requests,” the researcher wrote in the vulnerability report, which he shared with Motherboard. “An unauthenticated remote attacker can easily enumerate an organization’s account username by submitting permutations of a target, with no observable rate-limit.”

The second flaw could be used in tandem with the first to dox all John Deere’s owners. The flaw was in the John Deere Operations Center Mobile app for Android and iOS, as well on its corresponding web version. 

Anyone with an API cookie, which could be obtained just by signing up for the app, which did not require proof of owning a John Deere vehicle, could “expose any vehicle or equipment owner’s name, physical address, equipment GUID (permanent equipment ID) and the status of whether the Terminal is remotely accessible via the RDA protocol via the Vehicle Identification Number (VIN) API,” according to the vulnerability report Sick Codes sent to John Deere.

Sick Codes complained that the process to disclose these vulnerabilities was “lackluster,” as John Deere was slow to respond. 

Subscribe to our cybersecurity podcast, CYBER.