John Deere Harvests Def Con Mockery for Tired Web Security
Agricultural equipment giant John Deere left an extremely sensitive Okta-generated digital certificate on a public-facing website, potentially jeopardizing the security of a whole range of remotely accessible farm equipment, according to anonymous independent researcher Sick Codes, in a presentation last week for Def Con 29.
The set of vulnerabilities demonstrates the work that agricultural equipment providers, as well as other Industrial Internet-of-Things equipment manufacturers, still must do to adequately secure their internet-connected equipment. It’s a laxness that may jeopardize our very own food supply, Codes warns.
The vulnerabilities used to bootstrap into the website weren’t even particularly new. A fellow researcher sent to Codes five Cross Site Scripting (XSS) vulnerabilities that they found gave them entry to the John Deere website and associated databases. After being contacted about these vulnerabilities, the company granted the duo “safe harbor,” under its Hacker One program, letting them further research the site without legal repercussion.
“Hey it’s really weird that there’s no CVEs in John Deere’s products…” — @sickcodes, on vulnerabilities in agricultural #IOT. @defcon @JohnDeere https://t.co/YD3OEJHVQS #security pic.twitter.com/akaQRz90mR
— Joab Jackson (@Joab_Jackson) August 6, 2021
“What it shows you is that [John Deere] are not taking into consideration basic vulnerabilities,” Codes said.
One DOM-based XSS gave them entry into a web page for the company’s portal for suppliers. Though the usual round of penetration testing (pentesting), the researchers found that providing a purchase order number would garner a list of information about that purchase, and entering random invoice numbers in provided some helpful navigation information about the backend IBM DB2 database.
The site also provided access to an employee education site and a page for booking demonstration units. Here attackers could book units, cancel appointments, reassign tractor deliveries. They were able to pull every single database row for every piece of equipment, along with the emails of everyone who booked these units.
The site also had a messaging server from Pega, with a default administrator password that, if not changed could be used by an attacker to gain full access. Such access allowed Codes and his cohorts the ability to collect all the interesting info on that site, including administrator passwords and a security audit log, which should not be accessible to outsiders.
This is also where they found the Okta signing certificate, complete with the original decryption password.
Such a cert could be used elsewhere in the John Deere network to upload or download any files to a John Deere user, or log in as any user, destroy data, log into third party accounts. “We could literally do whatever the heck we wanted with anything we wanted on the John Deere Operation Center,” Codes speculated.
This ease of access from a website is problematic given how aggressively that John Deere has been moving to equip their industrial tractors with remote control and data gathering capabilities. Remote control capabilities could include the ability to spray fertilizer on crops, plant seeds, direct self-propelled tractors. Likewise, the equipment collects operational data, uploaded both to the farmer and to John Deere itself, which could provide detailed information about what crops are being planted.
So not only would weak security open the door to not only potentially malicious actions from random attackers — such as driving a piece of farming equipment into a river — but also more coordinated state-sponsored attacks that could cripple a country’s food supply, Codes warned.