John Deere Harvests Def Con Mockery for Lax Web Security

Agricultural equipment giant John Deere left an extremely sensitive Okta-generated digital certificate on a public-facing website, potentially jeopardizing the security of a whole range of remotely accessible farm equipment, according to anonymous independent researcher Sick Codes, in a presentation last week for Def Con 29.

The set of vulnerabilities demonstrates the work that agricultural equipment providers, as well as other Industrial Internet-of-Things equipment manufacturers, still must do to adequately secure their internet-connected equipment. It’s a laxness that may jeopardize our very own food supply, Codes warns.

The vulnerabilities used to bootstrap into the website weren’t even particularly new. A fellow researcher sent to Codes five Cross Site Scripting (XSS) vulnerabilities that they found gave them entry to the John Deere website and associated databases. After being contacted about these vulnerabilities, the company granted the duo “safe harbor,” under its Hacker One program, letting them further research the site without legal repercussion.

“Hey it’s really weird that there’s no CVEs in John Deere’s products…” — @sickcodes, on vulnerabilities in agricultural #IOT. @defcon @JohnDeere https://t.co/YD3OEJHVQS #security pic.twitter.com/akaQRz90mR

Leave a Comment