DEF CON: Security Holes In Deere, Case IH Shine Spotlight On Agriculture Cyber Risk

chicksdaddy shares a report from The Security Ledger: A lot has changed in the agriculture sector in the last decade. And farm country’s cybersecurity bill has come due in a big way. A (virtual) presentation at the annual DEF CON hacking conference in Las Vegas on Sunday described a host of serious, remotely exploitable holes in software and services by U.S. agricultural equipment giants John Deere and Case IH, The Security Ledger reports. Together, the security flaws and misconfigurations could have given nation-state hackers access to Deere’s global product infrastructure, sensitive customer and third-party data and, potentially, the ability to remotely access critical farm equipment like planters and harvesters that are the lynchpin of the U.S. food chain.

The talk is the most detailed presentation, to date, of a range of flaws in Deere software and services that were first identified and disclosed to the company in April. The disclosure of two of those flaws in the company’s public-facing web applications set off a scramble by Deere and other agricultural equipment makers to patch the flaws, unveil a bug bounty program and to hire cyber security and embedded device security talent.

In addition to a slew of common web flaws like Cross Site Scripting- and account enumeration bugs linked to Deere’s web site and public APIs, the researchers discovered a vulnerability (CVE-2021-27653) in third-party software by Pega Systems, a maker of customer relationship management (CRM) software that Deere uses. A misconfiguration of that software gave the researchers administrative access to the remote, back end Pegasystems server. With wide ranging, administrative access to the production backend Pega server, the researchers were able to obtain other administrative Pegasystems credentials including passwords, security audit logs, as well as John Deere’s OKTA signing certificate for the Pegasystems server, according to the presentation. In an email statement to The Security Ledger, a John Deere spokesperson said that “none of the claims — including those identified at DEF CON — have enabled access to customer accounts, agronomic data, dealer accounts, or sensitive personal information,” though data included in the presentation as well as prior public disclosures make clear that sensitive data on Deere employees, equipment, customers and suppliers was exposed.