Researchers spoke about the vulnerabilities of agricultural machinery John Deere and Case New Holland

John Deere vulnerabilities
Written by Emma Davis

A group of researchers, led by a hacker known as Sick Codes, spoke at Def Con about the discovery of multiple vulnerabilities in John Deere and Case New Holland systems, two largest agricultural equipment companies.

Experts warned that in the hands of attackers, these vulnerabilities could threaten both consumers and the global food supply chains.

Both companies produce high-tech agricultural machinery, and the researchers believe that attacking users of such agricultural enterprises could seriously affect crop yields and compromise trade secrets.

Interestingly, John Deere recently launched its own bug bounty program on HackerOne, and Sick Codes was invited to join the initiative as he contacted the company this spring about the bugs found. However, in the end, the researcher refused to participate in the program, as he realized that in this case he would have to sign a non-disclosure agreement.

During a talk at Def Con, Sick Codes considered a number of vulnerabilities, eventually reaching problems that allow “any user to download arbitrary files, log in as any user <...> download whatever we want, download whatever we want, destroy any data, log in to any accounts “.

The hackers emphasized that the vulnerabilities could give attackers remote access to download or upload files on agricultural equipment, including tractors.

We could literally do whatever we wanted with anything in the John Deere operations center. After that, we stopped because, in fact, the whole organization was on a leash. If no one did what we did for free, the bad guys would come and do it for money.Sick Codes told Vice Motherboard by phone.

In response to this presentation, John Deere representatives stated the following:

None of these statements (including those made at Def Con) assist in gaining access to customer accounts, agronomic data, vendor accounts, or sensitive personal information. In addition, contrary to claims made at Def Con, none of the problems identified by the researchers could affect the machines used. John Deere makes the security of systems and data a top priority, and we work tirelessly to identify and resolve any issues as quickly as possible. John Deere also recognizes the importance of the role our products play in food security and in the global food supply chain.

In addition, the company said it has increased security spending “by about 750%” over the past seven years.

If you have access to farms, you can do things like over-spraying chemicals in the fields. You can give such a farm a perpetual “denial of service” just by over-spraying in one season, literally overloading the fertile soil with too many chemicals,” Sick Codes said during the presentation.

For example, Case New Holland provides customers with remote access to some equipment, located hundreds of miles away, using only user data.

Research by the Sick Codes team has shown that the Case JavaMelody server can be compromised, leading to the disclosure of sensitive data, including location data, IP addresses, session IDs, and full names of people. Using this information, attackers will be able to impersonate users and infiltrate the system.

The hackers also gained access to administrative credentials from John Deere Pega, which they describe as a master key for accessing “critical” information. In addition, they discovered an issue in the user numbering system that allowed an unauthenticated remote attacker to gain access to a user’s personal information, including IDs, full names, and addresses.

Sick Codes said during the presentation.
Bugs were also found in the system that is used to reserve demo units of equipment for exhibitions and conferences. Researchers could book rooms, change or cancel appointments. They were also able to “book” any demo car ever provided.

The Sick Codes team also managed to obtain the original decryption password and signing certificate for the company’s Okta, which is an SSO platform used to provide employees with access to all of the company’s software. According to Sick Codes, an attacker could use this to log in as any user, download or delete any data, delete accounts, and more.

Since the presentation, no one from the research team has received a response from John Deere or Case New Holland, Sick Codes said. The screenshots provided by the group confirm that they briefed John Deere Chief Information Officer James Johnson about the issues, and also informed the company that they intend to publish their research (by providing presentation files in advance). And although there were no responses from the companies, according to the Sick Codes website, all vulnerabilities that were disclosed at the conference have been fixed.

Let me remind you that we also talked about INFRA: HALT vulnerabilities affect industrial equipment from 200 manufacturers.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.