Security Vulnerabilities In John Deere API Could Expose Tractor Customers

Farming isn’t always safe from cyber threats – at least, that’s what some recently found bugs indicate. Specifically, two security vulnerabilities existed in the John Deere API that could expose data of tractor and other devices’ customers.

John Deere Software Vulnerabilities

John Deere is an American agricultural and farming giant manufacturing heavy equipment and machines including tractors. The brand has been around for over a century (184 years) and has established itself as a dominant name in the sector.

Despite its transition to modern technology, the brand hasn’t been in the limelight for any cybersecurity issues.

Yet, recently, a researcher highlighted two vulnerabilities in the John Deere API that could have devastating consequences for the farmers.

Briefly, a researcher with alias Sick Codes found that the API would reveal the personal details of farmers and owners of John Deere tractors. These details included users’ full names, company names, addresses, when the subscription started, and Vehicle Identification Numbers (VIN).

The researcher has shared the details of his findings in his post.

Vendor’s Response

After finding the bugs, the researcher tried to responsibly disclose the bugs to the vendors. However, he noticed that the firm had no specific vulnerability disclosure program. He reached out to them via email.

However, out of caution, and fearing that the bugs could “jeopardize the US food security supply chain”, he even reported the matter to the US DHS.

Within 72 hours, the firm fixed the bugs, as the researcher noticed.

John Deere has also confirmed the same to Motherboard via a statement.

We were recently made aware of two code misconfigurations in separate online applications. We immediately investigated, and the misconfigurations were remediated. Neither misconfiguration enabled access to customer accounts, dealer accounts, or sensitive personal information.

Yet, the researcher didn’t have a good experience with John Deere who also attempted to downplay his findings. As he explained to Motherboard,

I could see sensitive [Personal Identifying Information]… The fact that they’re trying to discredit me just shows how incompetent they are.

Anyhow, for the users, the threat (apparently) remains no more since John Deere has fixed the bugs.

Yet, the overall case explains the need for this sector to focus on cybersecurity and develop with the security community.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients