John Deere, Researchers Spar Over Impact of Vulnerabilities
Numerous vulnerabilities uncovered in tractor manufacturer John Deere’s systems underscore the cyber risks that come in tandem with the productivity gains from high-tech farming.
On Friday, an Australian researcher who goes by the nickname Sick Codes remotely presented his latest findings on Sunday at the Def Con security conference in Las Vegas. He’s part of an independent security research group called Sakura Samurai, which hunts and responsibly discloses security vulnerabilities.
Sick Codes and the group found several vulnerabilities in the systems of John Deere, based in Moline, Illinois, that have now been patched. He posted details of those issues on his blog on Sunday.
The findings are serious. A combination of issues granted root access to John Deere’s Operations Center, which is comprehensive platform for monitoring and managing farm equipment.
There were two problems that lead to it. First, Sakura Samurai’s John Jackson and another researcher, Robert Willis, found a vulnerability in a business process management tool called Pega. Sick Codes says that Pega is popular with business. But it often has too many permissions and has administrative access to other systems, not unlike remote monitoring and management tools like SolarWinds Orion, he says.
The Pega vulnerability, which was related to unchanged default admin credentials, allowed remote access to Pega’s Chat Access Group Portal. That bug opened up access to a whole bunch of other resources, including Pega’s security audit log and even an Okta signing certificate. They were also able to export the private key for John Deere’s single sign-on SAML server.
The issues were so bad in combination that Sick Codes and his group stopped probing Deere’s systems further.
“This can pretty much allow us to upload files to any user, login as any user…upload whatever we want, download whatever we want, destroy any data, login to any third party accounts,” Sick Codes says in his presentation. “We could literally do whatever the heck we wanted with anything we wanted on the John Deere Operations Center, period.”
Efforts to reach John Deere weren’t immediately successful. But in a statement to The Security Ledger, the company denied in broad strokes the findings demonstrated by Sick Codes and downplayed the seriousness.
“None of the claims – including those identified at Def Con -have enabled access to customer accounts, agronomic data, dealer accounts, or sensitive personal information,” the company says. John Deere went on to say that “contrary to claims made at Def Con, none of the issues identified by the security researchers would have affected machines in use,” according to The Security Ledger.
Def Con presentations are tightly vetted and reviewed by security experts before acceptance to the conference. It’s also not uncommon for companies and security researchers to be somewhat at odds over the potential impacts.
Sick Codes tells ISMG that John Deere should “be honest” and turn the situation into a positive one.
“Own up to it,” he says.
Tractors As…Buggy Computers
John Deere’s tractors may look not terribly different from tractors from 40 years ago, but there is a big difference: everything is computerized. Similar to modern vehicles, farm equipment runs highly complex, embedded and proprietary software that connects to the internet.
John Deere’s equipment constantly transmits data to the cloud, from when a farmer sits in a cab to moisture levels in the soil to gauging the size of a harvest. Data has been always been critical to farming, but it is being collected now with unprecedented scale for smart farming or precision agriculture. It allows farmer to reduce costs, say by using less pesticides and increase yields.
But March 2016, the FBI issued a warning that the agricultural sector’s increasing dependence on technology increased the potential for cyberattacks.
“Farmers need to be aware of and understand the associated cyber risks to their data, including digital management tool and application developers and cloud service providers, develop adequate cybersecurity and breach response plans,” the FBI said at the time.
Sick Codes’ interest in the company started earlier this year after a colleague pointed out there were no CVEs at all for any John Deere products, an odd finding considering how the company has moved into technologies such as cloud computing.
There’s been some tension between Sick Codes and John Deere. After the research started earlier this year, Sick Codes tried to report security vulnerabilities to John Deere but received no response at first.
Sick Codes shared the information ICS CERT, part of the U.S. government’s Cybersecurity & Infrastructure Security Agency, which also reached out to John Deere. Also, one of Sick Codes’ colleagues, Willie Cade, a Chicago-based electronics and right-to-repair enthusiast, worked with him on the disclosing the earlier bugs to John Deere.
“I mean, it literally took us three weeks to get through to them [John Deere] to tell them they had a problem,” Cade told ISMG in May. “I physically sent via FedEx, printed copies of our CVE reports to [John Deere’s] chairman, the chief legal officer and the current CIO. The day after the day after it arrived, the vulnerabilities were fixed.”
John Deere, as well as many others in the tech industry, has been at odds with a growing right to repair movement that advocates greater access to diagnostic tools, manuals and software.
Remote Tractor Takeover
The access to John Deer’s Operations Centre would have allowed Sick Codes to remotely access farmers’ tractors, which is a support feature that Deere offers owners but one that in the wrong hands could be disastrous.
For example, increasing the amount of chemicals could create a denial-of-service situation in a field. Dramatically increasing the amount of chemicals applied without alerting the farmer could make a field infertile, Sick Codes says.
“You could permanently deny service to a farmer crop by literally a few lines of malicious code,” Sick Codes says in his presentation.
Access to a tractor could have other malicious outcomes. Some tractors are autonomous, so a malicious person could direct the tractor, say, into a river or onto a highway. A tractor’s ECU could be set to work too hard and fail. More subtle attacks might cause the tractor to lay seed in a way that’s slightly off target from where it supposed to be laid.
There were numerous other issues Sakura Samurai found, including one with a system that John Deere uses to book loans of tractors and equipment called the Machine Book. They discovered flaws that that would allow them to book tractors, cancel orders and reassign equipment. The system was only open to employees and also exposed some employee data.
Probing further, they also found they could dump the database via a SQL injection flaw. The database had around 1,000 rows. That database contained all of the bookings ever made, user names, email addresses and more. It may not seem like a huge deal, but Sick Codes says a John Deere competitor, for example, could get the personal detail for influencers whom the company has loaned out equipment.