Please note that all submissions to the site are subject to the wiki's licence, CC 4.0 BY-SA, as found here
John Deere security flaws exposed sensitive customer information: Difference between revisions
Start of video article |
Expand immediate aftermath of the incident |
||
| Line 1: | Line 1: | ||
A number of security flaws in the software [[John Deere]] provided could have allowed hackers to find and download the personal data of all owners of the company’s farming vehicles and equipment, according to a security researcher who found the vulnerabilities<ref name=":0">https://www.vice.com/en/article/bugs-allowed-hackers-to-dox-all-john-deere-owners/</ref>. Although John Deere confirmed the existence of the vulnerabilities, they downplayed their impact by stating it was remediated and it did not give "access to customer accounts, dealer accounts, or sensitive personal information"<ref name=":0" />. This was not true according to the security researcher, explaining that on newer farm equipment he was able to see the vehicle or equipment owner’s name, their physical address, the equipment’s unique ID, and its Vehicle Identification Number<ref name=":0" />. | A number of security flaws in the software [[John Deere]] provided could have allowed hackers to find and download the personal data of all owners of the company’s farming vehicles and equipment, according to a security researcher who found the vulnerabilities<ref name=":0">https://www.vice.com/en/article/bugs-allowed-hackers-to-dox-all-john-deere-owners/</ref>. Although John Deere confirmed the existence of the vulnerabilities, they downplayed their impact by stating it was remediated and it did not give "access to customer accounts, dealer accounts, or sensitive personal information"<ref name=":0" />. This was not true according to the security researcher, explaining that on newer farm equipment he was able to see the vehicle or equipment owner’s name, their physical address, the equipment’s unique ID, and its Vehicle Identification Number<ref name=":0" />. | ||
Besides the security flaws, another major part of the controversy was about the way John Deere handled the reporting of security flaws. The researcher claimed it was researched with a developer account, and the current terms and conditions<ref>https://web.archive.org/web/20210424021348/https://www.deere.com/en/forms/corporate/it-security-consulting/</ref> for disclosing were followed, but were removed after the incident, among other issues like the previously mentioned downplaying of the impact<ref>[[Louis Rossmann - Video Directory]]: [https://www.youtube.com/watch?v=hqablgjQ02g John Deere security flaw exposed address of every customer & more!]</ref>. | Besides the security flaws, another major part of the controversy was about the way John Deere handled the reporting of security flaws. The researcher claimed it was researched with a developer account, and the current terms and conditions<ref>https://web.archive.org/web/20210424021348/https://www.deere.com/en/forms/corporate/it-security-consulting/</ref> for disclosing were followed, but were removed after the incident, among other issues like the previously mentioned downplaying of the impact<ref name=":1">[[Louis Rossmann - Video Directory]]: [https://www.youtube.com/watch?v=hqablgjQ02g John Deere security flaw exposed address of every customer & more!]</ref>. | ||
In the immediate aftermath of the incident, John Deere posted a spate job openings for embedded cyber security engineers to “drive | In the immediate aftermath of the incident, John Deere posted a spate job openings for embedded cyber security engineers to “drive embedded software cybersecurity requirements and security features development.” and “develop threat models using industry best practices<ref>https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/</ref>. Also close after the incident, John Deere writes "This week's forecast: one to three inches of nonsense", which can be interpreted as denying that the recent security flaws were severe<ref name=":2">[[Louis Rossmann - Video Directory]]: [https://www.youtube.com/watch?v=rB_SleNKBus John Deere instigates hackers, gets hacked again]</ref>. John Deere addressed it by stating "We investigated immediately, and the misconfigurations were fixed right away. The important take away here is that our customers' sensitive personal or business information, including financial and agronomic data, was never accessed, which is a point that didn’t come through in the article"<ref>https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world</ref>. But that is not true because the researcher claims they could access the data<ref name=":0" /><ref name=":1" /><ref name=":2" />. | ||
Quite a bit later in 2024, John Deere has also partnered up with HackerOne<ref>https://www.hackerone.com/</ref> to enhance collaborative relationships with security researchers<ref>https://www.deere.com/en/our-company/digital-security/hackerone-program/</ref>. | |||
== References == | == References == | ||
Latest revision as of 21:47, 18 January 2025
A number of security flaws in the software John Deere provided could have allowed hackers to find and download the personal data of all owners of the company’s farming vehicles and equipment, according to a security researcher who found the vulnerabilities[1]. Although John Deere confirmed the existence of the vulnerabilities, they downplayed their impact by stating it was remediated and it did not give "access to customer accounts, dealer accounts, or sensitive personal information"[1]. This was not true according to the security researcher, explaining that on newer farm equipment he was able to see the vehicle or equipment owner’s name, their physical address, the equipment’s unique ID, and its Vehicle Identification Number[1].
Besides the security flaws, another major part of the controversy was about the way John Deere handled the reporting of security flaws. The researcher claimed it was researched with a developer account, and the current terms and conditions[2] for disclosing were followed, but were removed after the incident, among other issues like the previously mentioned downplaying of the impact[3].
In the immediate aftermath of the incident, John Deere posted a spate job openings for embedded cyber security engineers to “drive embedded software cybersecurity requirements and security features development.” and “develop threat models using industry best practices[4]. Also close after the incident, John Deere writes "This week's forecast: one to three inches of nonsense", which can be interpreted as denying that the recent security flaws were severe[5]. John Deere addressed it by stating "We investigated immediately, and the misconfigurations were fixed right away. The important take away here is that our customers' sensitive personal or business information, including financial and agronomic data, was never accessed, which is a point that didn’t come through in the article"[6]. But that is not true because the researcher claims they could access the data[1][3][5].
Quite a bit later in 2024, John Deere has also partnered up with HackerOne[7] to enhance collaborative relationships with security researchers[8].
References[edit | edit source]
- ↑ 1.0 1.1 1.2 1.3 https://www.vice.com/en/article/bugs-allowed-hackers-to-dox-all-john-deere-owners/
- ↑ https://web.archive.org/web/20210424021348/https://www.deere.com/en/forms/corporate/it-security-consulting/
- ↑ 3.0 3.1 Louis Rossmann - Video Directory: John Deere security flaw exposed address of every customer & more!
- ↑ https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/
- ↑ 5.0 5.1 Louis Rossmann - Video Directory: John Deere instigates hackers, gets hacked again
- ↑ https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world
- ↑ https://www.hackerone.com/
- ↑ https://www.deere.com/en/our-company/digital-security/hackerone-program/
