Hacker Says He Found a ‘Tractorload of Vulnerabilities’ at John Deere

A group of security researchers released their findings after spending months researching weaknesses in the operating systems of two major agriculture companies.
August 13, 2021, 1:00pm
GettyImages-1231549327
Image:  Philipp Schulze/picture alliance via Getty Images

Security researchers found multiple vulnerabilities in the systems of John Deere and Case New Holland, two of the country's largest agriculture tech companies, according to a presentation at the Def Con hacking conference. In the wrong hands, they warn that these weaknesses could put consumers and the global food supply chain at risk.

Led by a hacker known as Sick Codes, a group of researchers conducted a “good faith” audit of John Deere and Case New Holland and found what they described as a "tractor load of vulnerabilities," they said in the talk. Both companies produce high-tech machinery used in mass agriculture. The hackers warned that a cyber attack on the users of agricultural businesses such as these could severely compromise crop yield and trade secrets. During the talk, Sick Codes went through a series of vulnerabilities his group found, culminating in vulnerabilities he described as allowing them "to upload files to any user, log in as any user, destroy any farm, run any farm off the road, upload whatever we want, download whatever we want, destroy any data, log in to any third party accounts. We could literally do whatever the heck we wanted with anything we wanted on the John Deere operation center, period. And that's when we pretty much stopped because we pretty much had rope on the whole organization."

John Deere claimed in a statement that "none of the claims—including those identified at DEF CON—have enabled access to customer accounts, agronomic data, dealer accounts, or sensitive personal information. Further, contrary to claims made at DEF CON, none of the issues identified by the security researchers would have affected machines in use.  John Deere considers the security of our systems and the data within them a top priority and we work tirelessly to identify and address any misconfigurations as quickly as possible. Deere also recognizes the important role our products play in food security and within the global food supply chain."

Deere also said that it has increased its spending on security "by about 750% in the past seven years."

Advertisement

“If nobody does what we did for free, then the bad guys will come in and do it for money,” Sick Codes recently told Motherboard over the phone. 

The presentation detailed how weaknesses in operating systems could give an attacker remote access to download or upload files onto farming equipment like tractors. 

"If you were able to access farms, you would be able to do things like overspray chemicals onto the field," they said in their presentation. "You could permanently denial of service to that farm just by simply over spraying one season, by literally loading up the fertile ground with too many chemicals."

Case New Holland already allows clients remote access to some of their machinery from hundreds of miles away using just their user information, according to their website.

Their research found that Case’s JavaMelody server could be compromised, revealing highly sensitive data including locations, IP addresses, session ID and full names. Using this, an attacker can replicate the session and impersonate users in order to log into their system. 

According to their research, the hackers also got access to John Deere’s administrative Pega credentials, which they described as being a master key to access “mission critical” data. They also discovered a weakness in the system’s username enumeration that could allow an unauthenticated remote attacker to access personal user information such as user ID numbers, full names and addresses. 

Advertisement

There were vulnerabilities in the company’s machine book, which is used to reserve demonstration units for trade shows or conferences. They could book units, change or cancel appointments once they had access. They were also able to pull every single demo unit that was ever provided and the email addresses used to book them.

The researchers also said they obtained the original decryption password and signing certificate for the company’s Okta, which is a single sign-on platform that workforces use to allow employees access to all of the company’s software. Sick Codes said an attacker could have used it to log in as any user, upload or delete any data they want, delete accounts and more. 

Tech companies have seen a large increase in ransomware attacks over the past year, and the agriculture industry is learning that they are just as at risk. 

America has already seen the effects of the massive cyber attack that shut down operations at the world’s largest meat processing company, JBS, this past June. The company paid an $11 million ransom to REvil, the ransomware gang behind the attack. 

John Deere recently partnered with HackerOne, a security platform in which businesses can have their systems examined for weaknesses by cybersecurity researchers. Sick Codes was invited to join the program after contacting them regarding bugs he found in April, but soon withdrew from the program after he realized he would need to sign an NDA. 

Advertisement

Screenshots included in the presentation showed a conversation between hacker Wabafet and the John Deere Twitter account in which the company stated they “encourage the ethical hacker community to report any possible vulnerability that is identified in our assets.” In the message, John Deere stipulated that they do not offer bug bounties but do grant safe harbor so that researchers can investigate and report weaknesses without risk of retaliation.

“They need fresh blood in the company because the way that they're dealing with this is bizarre,” Sick Codes told Motherboard over the phone. “They feel like they've got a really anti-research, vulnerability disclosure… You would actually put yourself at risk submitting research to them because of the way that their thing’s set up.”

Sick Codes said that none of the hackers have heard back from Case or John Deere since the presentation. Screenshots provided by the hacker confirm that he informed John Deere’s chief information security officer, James Johnson, of their plans to present their research and shared the presentation files with him ahead of time. 

Motherboard previously spoke to Sick Codes in April when they uncovered two bugs that could have allowed hackers to access consumer information. At the time, Sick Codes, Kevin Kenney and Willie Cade managed to gain access to personal identifying information of owners of Deere equipment, including the machine VIN and the owner’s name and physical address. At the time, the company told Motherboard that no personal information was actually at risk by these bugs. 

Case New Holland did not respond to a request for comment. According to Sick Codes’s website, all of the vulnerabilities they shared have since been patched.