Tractor-maker John Deere distributed USB drives that hijacked users’ keyboards and loaded its official website onto the browser. While the John Deere USB drive didn't do anything to compromise the security of devices it was connected to, it used a method that's similar to a malicious attack.
A Reddit user said he got one of these USB drives and noticed the weird behavior. A John Deere spokesperson later confirmed that the company has made USB drives designed to act this way.
“The device itself, it’s pretty ingenious, actually,” the Reddit user said. “It’s an HID-compliant keyboard that, when connected detects what platform it’s on and automatically sends a keyboard shortcut to open a browser, and then it barfs the link into the address bar.”
Ken Golden, John Deere’s director of public affairs, said that the company has distributed these kind of USB drives in the past, but stressed that their intention is not to do anything malicious.
“Deere is deeply committed to all aspects of data security and has never used a USB device to interfere with or monitor the use of any user’s personal computer or remove or observe any data or information on any user’s computer,” Golden wrote in an email. “Based on our review of the video used to exemplify the USB device comment about Deere, the video shows products and design of our website that are not current and appear to be several years old.”
Have a tip about a data breach or a security incident? You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
Handing out USB keys or drives is a longtime tradition at trade shows and conferences. This practice has recently lost some traction due to the fact that security experts recommend never plugging in any USB drives whose origins or content are unknown. Hackers have put malware inside USB drives in the past, so this is not just a theoretical attack.
Deere’s USB drive doesn’t contain malware, but its ability to hijack a keyboard to load up a specific site shows exactly why you shouldn't plug random USB drives to your computer.
Correction: This piece has been changed to remove a reference to the Reddit user receiving the John Deere USB drive from a conference; the Redditor said they instead got it from a family member. Motherboard regrets the error.
Subscribe to our new cybersecurity podcast, CYBER.