Red Sky Alliance has previously reported on John Deer’s cyber woes. No industry sector is immune from cyber threats, hacking or mischief. Recently, numerous vulnerabilities were uncovered in tractor manufacturer John Deere's systems that underscore the cyber risks that come with the productivity gains from high-tech farming. An Australian researcher who goes by the nickname Sick Codes, his LinkedIn profile (11) Sick Codes | LinkedIn remotely presented his latest findings on 08 August 2021 at the Def Con security conference in Las Vegas. He is part of an independent security research group called Sakura Samurai, which hunts and responsibly discloses security vulnerabilities.
Sick Codes and the research group found several vulnerabilities in the systems of John Deere, based in Moline, Illinois, that have now been patched. He posted details of those issues on his blog last week.
The findings are serious. A combination of issues enabled root access to John Deere's Operations Center, a comprehensive platform for monitoring and managing farm equipment:
There were two problems that led to the root access. First, Sakura Samurai found a vulnerability in a business process management tool called Pega. Sick Codes says that Pega is popular with businesses. But it often has too many permissions and has administrative access to other systems, not unlike remote monitoring and management tools, such as SolarWinds' Orion, they said.
The Pega vulnerability, which was related to unchanged default admin credentials, allowed remote access to Pega's Chat Access Group Portal. That bug opened access to many other resources, including Pega's security audit log and even an Okta signing certificate. The researchers were also able to export the private key for John Deere's single sign-on SAML server.[1]
The issues were so bad in combination that Sick Codes and his group stopped probing Deere's systems further. "This can pretty much allow us to upload files to any user, log in as any user … upload whatever we want, download whatever we want, destroy any data, log in to any third-party accounts," Sick Codes said in his presentation. "We could literally do whatever the heck we wanted with anything we wanted on the John Deere Operations Center, period."
Efforts to reach John Deere were not immediately successful. But in a statement provided to The Security Ledger, an independent security website that explores the intersection of cyber security with business, commerce, politics and life, the company denied in broad strokes the findings demonstrated by Sick Codes and downplayed the seriousness of the claims. “None of the claims, including those identified at Def Con, have enabled access to customer accounts, agronomic data, dealer accounts, or sensitive personal information," the company says. John Deere went on to say that “contrary to claims made at Def Con, none of the issues identified by the security researchers would have affected machines in use," according to The Security Ledger.
Def Con presentations are vetted by security experts before acceptance. It is also common for companies and security researchers to be somewhat at odds over the potential impacts of flaws. Sick Codes tells Information Security Media Group that John Deere should "be honest" and turn the situation into a positive one. "Own up to it," they emphasized.
John Deere's tractors may not look terribly different than tractors from 40 years ago, but there is a big difference: Everything is computerized. Like modern vehicles, farm equipment runs highly complex, embedded and proprietary software that connects to the Internet. John Deere's equipment constantly transmits data to the cloud, such as information about when a farmer sits in a cab, moisture levels in the soil and gauges of the size of a harvest. Data has always been critical to farming, but it is being collected now with unprecedented scale for smart farming or precision agriculture. That allows farmers to reduce costs by, for example, using less pesticide and increase yields.
In March 2016, the FBI issued a warning that the agricultural sector's increasing dependence on technology increased the potential for cyberattacks. "Farmers need to be aware of and understand the associated cyber risks to their data, including digital management tool and application developers and cloud service providers, and develop adequate cybersecurity and breach response plans," the FBI said five years ago.
Sick Codes' interest in the company started earlier this year after a colleague pointed out there were no CVEs for any John Deere products, an odd finding considering how the company has moved into technologies such as cloud computing. There has been some tension between Sick Codes and John Deere. After the research started earlier this year, Sick Codes tried to report security vulnerabilities to John Deere, but he says he received no response at first.
Sick Codes shared the information with ICS CERT, which is part of the US government's Cybersecurity & Infrastructure Security Agency, and it tried to contact John Deere. Also, one of Sick Codes' colleagues, a Chicago-based electronics and "right to repair" enthusiast, worked with him on disclosing the earlier bugs to John Deere. "I mean, it literally took us three weeks to get through to them [John Deere] to tell them they had a problem," he told ISMG in May. "I physically sent via FedEx, printed copies of our CVE reports to [John Deere's] chairman, the chief legal officer and the current CIO. The day after it arrived, the vulnerabilities were fixed."
John Deere, as well as many others in the tech industry, has been at odds with a growing "right to repair" movement that advocates greater access to diagnostic tools, manuals and software.
The access to John Deer's Operations Center would have allowed Sick Codes to remotely access farmers' tractors, using a support feature that Deere offers owners that, in the wrong hands, could be disastrous. For example, increasing the amount of chemicals could create a denial-of-service situation in a field. Dramatically increasing the amount of chemicals applied without alerting the farmer could make a field infertile, Sick Codes says. "You could permanently deny service to a farmer's crop by literally a few lines of malicious code," Sick Codes said in his presentation. Access to a tractor could have other malicious outcomes. Some tractors are autonomous, so a malicious person could direct the tractor, say, into a river or onto a highway. A tractor's electronic control unit could be set to work too hard and fail. More subtle attacks might cause the tractor to lay seed in a way that's slightly off target from where it is supposed to be.
Sakura Samurai found numerous other issues, including one with a system that John Deere uses to book loans of tractors and equipment called Machine Book. They discovered flaws that would allow them to book tractors, cancel orders and reassign equipment. The system was only open to employees and exposed some employee data.
Probing further, they also found they could dump the database via a SQL injection flaw. The database had around 1,000 rows. It contained all of the bookings ever made, user names, email addresses and more. Sick Codes says a John Deere competitor could get the personal details for influencers to whom the company has loaned out equipment.
Dear John, please help the over-all cyber integrity. At Red Sky Alliance, we can help cyber threat teams with services beginning with cyber threat notification services, and analysis.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
[1] https://www.bankinfosecurity.com/flaws-in-john-deere-systems-show-agricultures-cyber-risk-a-17240
Comments