John Deere Security Vulnerabilities Put Agriculture at Risk
Researchers Discovered Some Bugs in John Deere’s Systems.
John Deere’s systems carry some security holes researchers have recently come upon. The John Deere security vulnerabilities could lead to remote code execution of the machines.
Who Discovered the John Deere Security Vulnerabilities?
Security bugs in John Deere’s systems were recently found and demonstrated by a researcher known by his nickname as SickCodes. The analyst has Australian origins and found the Las Vegas-based Def Con security conference the proper timing to remotely show his discoveries on the topic.
SickCodes does not work alone. The team of analysts he’s part of is named Sakura Samurai and their usual activity is to discover and explore security bugs.
What Is John Deere?
John Deere is basically the advertising name of the American enterprise Deere & Company. Its activity consists in producing construction, agricultural, and forestry machines.
How the John Deere Security Vulnerabilities Can Be Described?
The John Deere security vulnerabilities are now patched. The main discovered issue was the threat posed by root access enablement to John Deere’s Operations Center page. How could root access be possible?
John Jackson, a researcher from the same team SickCodes is part of and another expert, by his name, Robert Willis discovered a bug in Pega, which is basically a tool for handling business processes. This was dubbed CVE-2021-27653. The issue with Pega is mainly its various rights and accesses.
The Pega security hole led to remote access. How? Using the Pega’s Chat Access Group Portal. The matter lied in the default admin credentials that were not changed. Then, the door was left open to reach Okta signing authorization document and the security audit log belonging to Pega.
This is what researchers managed to achieve by exploiting this vulnerability. What’s more, they also obtained John Deere’s single sign-on SAML server’s private key.
This can pretty much allow us to upload files to any user, log in as any user … upload whatever we want, download whatever we want, destroy any data, log in to any third-party accounts. (…) We could literally do whatever the heck we wanted with anything we wanted on the John Deere Operations Center, period.
What Did John Deere Say About It?
According to the Security Ledger’s post, the company shared in a statement its opinion on the matter and denied the validity of the researcher’s demonstration. They have also minimized the gravity of the presented facts.
None of the claims – including those identified at DEF CON — have enabled access to customer accounts, agronomic data, dealer accounts, or sensitive personal information.” Furthermore, “contrary to claims made at DEF CON, none of the issues identified by the security researchers would have affected machines in use.
What Could Have Been the Impact?
John Deere security vulnerabilities could have led to serious consequences. In their investigation, the experts could have remotely gained access to the tractors. How? By making use of a Deere support capability.
According to bankinfosecurity.com, those who want to lead malicious activities could, for example, deploy denial of service (DDoS attacks). Using a malicious code they could make the system change the number of chemicals a farmer uses without his knowledge, thus leading to agricultural disasters. Examples of exploiting John Deere security vulnerabilities could be expanded. For instance, an autonomous tractor could be made to fall into a river or cause damage on a highway or another could be determined to plant seeds where it’s not supposed to.
The Machine Book has not escaped the experts’ eye, the system the company uses to book equipment and tractors. If exploited, the flaws within this system would let hackers delete orders or book tractors. The database could also be exploited through SQL injection attacks.
Even if the look of the tractors is not very elevated, they have software with the help of which they can be coordinated. Monitoring data on farmer’s activities is constantly transmitted from the tractor to the cloud. When the fact that no vulnerabilities were identified in John Deere’s products came to Sick Code’s attention, they started to analyze them in order to see if this is true. Then their investigation led to the above-mentioned facts. Researchers that found the vulnerabilities managed a little bit hard to contact the company, because it took a while for this to reply, so they sent their data to ICS CERT.
I mean, it literally took us three weeks to get through to them [John Deere] to tell them they had a problem. (…) I physically sent via FedEx, printed copies of our CVE reports to [John Deere’s] chairman, the chief legal officer and the current CIO. The day after it arrived, the vulnerabilities were fixed.