Bugs Allowed Hackers to Dox John Deere Tractor Owners

A pair of bugs in John Deere's apps and website could have allowed hackers to find and download the personal data of all owners of the company's farming vehicles and equipment, according to a security researcher who found the vulnerabilities. 

There is no evidence that hackers exploited these flaws. The researcher, who goes by Sick Codes, reported them to John Deere on April 12 and 13 and the company fixed one of the bugs just three days later. The company fixed the second bug on Wednesday, according to the researcher. 

Before the fixes, the vulnerabilities, if exploited, would have exposed personal data about John Deere's customers, including their physical address, according to Sick Codes.

"I could download the data of every owner of every single John Deere tractor in the world," Sick Codes, who did the research along with Kevin Kenney and Willie Cade, told Motherboard in a phone call. In his blog post, however, they make clear that only Deere equipment with specific technical features would have shown up; older Deere farm "devices" had less (or no) information about them.

"What I mean by 'devices' is actually million dollar machinery that automates farming through GPS auto-steer and things like that," they wrote. At first, "I was looking up ancient tractors. I was submitting almost 30 year old equipment to the API. Which models would have lots of electronics and telemetry? I needed to be looking up the newest models…"

Sick Codes explained that on newer farm equipment he was able to see the vehicle or equipment owner's name, their physical address, the equipment's unique ID, and its Vehicle Identification Number or VIN, the identifying code for a specific car. 

"How do you think farmers would feel knowing that John Deere was leaking their full name, company name, address line 1, address line 2, etc., or when the 'subscription' started for that device?" Sick Codes said. "Since [John Deere] was not rate-limiting those VIN lookups either, an attacker could have easily looked up every single [John Deere] vehicle over a day or two, effectively duplicating the entire database." 

Sick Codes said he could iterate and brute force all VIN numbers in the database, as they were "sequential," according to him. Deere explained that not "all" devices were affected.

A John Deere spokesperson confirmed the existence of the vulnerabilities but downplayed their impact. 

"We were recently made aware of two code misconfigurations in separate online applications," the spokesperson said in an email. "We immediately investigated, and the misconfigurations were remediated. Neither misconfiguration enabled access to customer accounts, dealer accounts, or sensitive personal information."

Sick Codes said that the claim that the bugs did not expose customer information is "a lie." 

"I could see sensitive [Personal Identifying Information]," he said in response to John Deere's statement. Video viewed by Motherboard shows specific addresses associated with equipment. "The fact that they’re trying to discredit me just shows how incompetent they are."

A recent Forbes article dug into John Deere's history—or lack thereof—of software vulnerabilities.

"One thing the company doesn’t have? A software vulnerability in any of its products - at least one that the company has disclosed to the public," the author wrote.  

That's not the case anymore. 

Sick Codes said that the first vulnerability allowed anyone to list all usernames on the John Deere Web Portal. 

"A remote unauthenticated attacker can simply remove the cookie from the original request and replay an unlimited volume of username availability requests," the researcher wrote in the vulnerability report, which he shared with Motherboard. "An unauthenticated remote attacker can easily enumerate an organization’s account username by submitting permutations of a target, with no observable rate-limit."

The second flaw could be used in tandem with the first to dox all John Deere's owners. The exploit leveraged John Deere Operations Center Mobile app for Android and iOS, as well on its corresponding web version. 

Anyone with an API cookie, which could be obtained just by signing up for the app, which did not require proof of owning a John Deere vehicle, could "expose any vehicle or equipment owner's name, physical address, equipment GUID (permanent equipment ID) and the status of whether the Terminal is remotely accessible via the RDA protocol via the Vehicle Identification Number (VIN) API," according to the vulnerability report Sick Codes sent to John Deere.

Sick Codes complained that the process to disclose these vulnerabilities was "lackluster," as John Deere was slow to respond. 

Correction, April 22, 1:22 p.m. ET: This article and headline have been corrected to clarify that not "all" owners of John Deere equipment were potentially affected by these vulnerabilities. 

Subscribe to our cybersecurity podcast, CYBER.