Flaws in John Deere Systems Show Agriculture’s Cyber Risk
John Deere, Researchers Spar Over Impact of Vulnerabilities
Numerous vulnerabilities uncovered in tractor manufacturer John Deere’s systems underscore the cyber risks that come with the productivity gains from high-tech farming.
See Also: Live Panel | How Organizations Should Think About Zero Trust
An Australian researcher who goes by the nickname Sick Codes remotely presented his latest findings on Sunday at the Def Con security conference in Las Vegas. He’s part of an independent security research group called Sakura Samurai, which hunts and responsibly discloses security vulnerabilities.
Sick Codes and the research group found several vulnerabilities in the systems of John Deere, based in Moline, Illinois, that have now been patched. He posted details of those issues on his blog Sunday.
The findings are serious. A combination of issues enabled root access to John Deere’s Operations Center, a comprehensive platform for monitoring and managing farm equipment.
There were two problems that led to the root access. First, Sakura Samurai’s John Jackson and another researcher, Robert Willis, found a vulnerability in a business process management tool called Pega. Sick Codes says that Pega is popular with businesses. But it often has too many permissions and has administrative access to other systems, not unlike remote monitoring and management tools, such as SolarWinds’ Orion, he says.
The Pega vulnerability, which was related to unchanged default admin credentials, allowed remote access to Pega’s Chat Access Group Portal. That bug opened up access to many other resources, including Pega’s security audit log and even an Okta signing certificate. The researchers were also able to export the private key for John Deere’s single sign-on SAML server.
The issues were so bad in combination that Sick Codes and his group stopped probing Deere’s systems further.
“This can pretty much allow us to upload files to any user, log in as any user … upload whatever we want, download whatever we want, destroy any data, log in to any third-party accounts,” Sick Codes said in his presentation. “We could literally do whatever the heck we wanted with anything we wanted on the John Deere Operations Center, period.”
Efforts to reach John Deere weren’t immediately successful. But in a statement provided to The Security Ledger, the company denied in broad strokes the findings demonstrated by Sick Codes and downplayed the seriousness of the claims.
“None of the claims – including those identified at Def Con – have enabled access to customer accounts, agronomic data, dealer accounts, or sensitive personal information,” the company says. John Deere went on to say that “contrary to claims made at Def Con, none of the issues identified by the security researchers would have affected machines in use,” according to The Security Ledger.
Def Con presentations are vetted by security experts before acceptance. It’s also common for companies and security researchers to be somewhat at odds over the potential impacts of flaws.
Sick Codes tells Information Security Media Group that John Deere should “be honest” and turn the situation into a positive one. “Own up to it,” he says.
Tractors as … Buggy Computers
John Deere’s tractors may not look terribly different than tractors from 40 years ago, but there is a big difference: Everything is computerized. Similar to modern vehicles, farm equipment runs highly complex, embedded and proprietary software that connects to the internet.
John Deere’s equipment constantly transmits data to the cloud, such as information about when a farmer sits in a cab, moisture levels in the soil and gauges of the size of a harvest. Data has always been critical to farming, but it is being collected now with unprecedented scale for smart farming or precision agriculture. That allows farmers to reduce costs – by, for example, using less pesticide – and increase yields.
But in March 2016, the FBI issued a warning that the agricultural sector’s increasing dependence on technology increased the potential for cyberattacks.
“Farmers need to be aware of and understand the associated cyber risks to their data, including digital management tool and application developers and cloud service providers, and develop adequate cybersecurity and breach response plans,” the FBI said at the time.
Sick Codes’ interest in the company started earlier this year after a colleague pointed out there were no CVEs for any John Deere products, an odd finding considering how the company has moved into technologies such as cloud computing.
There’s been some tension between Sick Codes and John Deere. After the research started earlier this year, Sick Codes tried to report security vulnerabilities to John Deere, but he says he received no response at first.
Sick Codes shared the information with ICS CERT, which is part of the U.S. government’s Cybersecurity & Infrastructure Security Agency, and it tried to contact John Deere. Also, one of Sick Codes’ colleagues, Willie Cade, a Chicago-based electronics and “right to repair” enthusiast, worked with him on disclosing the earlier bugs to John Deere.
“I mean, it literally took us three weeks to get through to them [John Deere] to tell them they had a problem,” Cade told ISMG in May. “I physically sent via FedEx, printed copies of our CVE reports to [John Deere’s] chairman, the chief legal officer and the current CIO. The day after it arrived, the vulnerabilities were fixed.”
John Deere, as well as many others in the tech industry, has been at odds with a growing “right to repair” movement that advocates greater access to diagnostic tools, manuals and software.
Remote Tractor Takeover
The access to John Deer’s Operations Center would have allowed Sick Codes to remotely access farmers’ tractors, using a support feature that Deere offers owners that, in the wrong hands, could be disastrous.
For example, increasing the amount of chemicals could create a denial-of-service situation in a field. Dramatically increasing the amount of chemicals applied without alerting the farmer could make a field infertile, Sick Codes says.
“You could permanently deny service to a farmer’s crop by literally a few lines of malicious code,” Sick Codes said in his presentation.
Access to a tractor could have other malicious outcomes. Some tractors are autonomous, so a malicious person could direct the tractor, say, into a river or onto a highway. A tractor’s electronic control unit could be set to work too hard and fail. More subtle attacks might cause the tractor to lay seed in a way that’s slightly off target from where it’s supposed to be.
Sakura Samurai found numerous other issues, including one with a system that John Deere uses to book loans of tractors and equipment called Machine Book. They discovered flaws that would allow them to book tractors, cancel orders and reassign equipment. The system was only open to employees and also exposed some employee data.
Probing further, they also found they could dump the database via a SQL injection flaw. The database had around 1,000 rows. It contained all of the bookings ever made, user names, email addresses and more. Sick Codes says a John Deere competitor could get the personal details for influencers to whom the company has loaned out equipment.