DevOps Articles

John Deere Harvests Def Con Mockery for Lax Web Security

Agricultural equipment giant John Deere left an extremely sensitive Okta-generated digital certificate on a public-facing website, potentially jeopardizing the security of a whole range of remotely accessible farm equipment, according to anonymous independent researcher Sick Codes, in a presentation last week for Def Con 29. The set of vulnerabilities demonstrates the work that agricultural equipment providers, as well as other Industrial Internet-of-Things equipment manufacturers, still must do to adequately secure their internet-connected equipment.

A fellow researcher sent to Codes five Cross Site Scripting (XSS) vulnerabilities that they found gave them entry to the John Deere website and associated databases.

This ease of access from a website is problematic given how aggressively that John Deere has been moving to equip their industrial tractors with remote control and data gathering capabilities.

Likewise, the equipment collects operational data, uploaded both to the farmer and to John Deere itself, which could provide detailed information about what crops are being planted.