Monday, June 07, 2021

ANS -- John Deere's dismal infosec

Here is an interesting article about a predatory monopolistic company who has no real concern for cybersecurity, but won't let anyone else fix its flaws either.  It's from Cory Doctorow"s page.  
--Kim



John Deere's dismal infosec (permalink)

As far back as 2015, the agribusiness monopolist John Deere was taking steps to ban farmers from fixing their own tractors, arguing that copyright law made trafficking in tools to effect these repairs a felony.

https://web.archive.org/web/20150428173001/https://www.theglobeandmail.com/technology/how-digital-rights-management-keeps-value-in-hands-of-the-manufacturer/article24130876/

The company took this to the US Copyright Office, saying that farmers couldn't fix their tractors because they don't own them, despite paying hundreds of thousands of dollars for them – software in tractors means they can only be licensed, not owned.

https://www.wired.com/2015/04/dmca-ownership-john-deere/

Deere bolstered this argument with a paternalistic warning that farmers are just not qualified to service tractors, prompting electronics specialist Willie Cade – grandson of a legendary Deere engineer – to speak out against the company.

https://securityledger.com/2019/03/opinion-my-grandfathers-john-deere-would-support-our-right-to-repair/

Cade explained that his grandfather Theo Brown – who filed 158 patents for Deere – got all of his ideas by going into the field and observing the modifications that farmers had made to their tractors.

It is not – and has never been – the case that Deere invents stuff that farmers use. It's the opposite. Farmers invent stuff, Deere commercializes it and sells it to other farmers. Farmers harvest their crops with Deere tractors, and Deere harvests FARMERS with them.

Stealing the Right to Repair from farmers was just the curtain-raiser for Deere's ban on modifying tractors, though. The real money is in stealing data that's generated when farmers drive their Deere tractors around their fields.

https://techcrunch.com/2016/07/06/the-land-grab-for-farm-data/

This data – a centimeter-accurate grid documenting soil density and humidity – generates data that Deere sells back to the farmers who created it as part of a "precision agriculture" package that comes with seeds from tyrants like Bayer, the new owner of Monsanto.

Far more grandiose, though, is Deere's plan to aggregate this misapporpriated data and mine it for market intelligence about crop-yields, which can be sold into the agricultural futures market for billions.

The next time someone says "If you're not paying for the product, you're the product," remember Deere and farmers. Farmers spend hundreds of thousands on tractors and they're still the product. Slapping a pricetag on a monopoly doesn't make markets – it makes rent-extraction.

I've been in Copyright Office meetings where Deere and other embedded systems makers (notably car-makers) have claimed that they HAVE to lock down their systems to protect their customers from cyber-attacks.

But for that to be true, these companies would have to actually protect their customers from cyberattacks, and that's not the case, as is evidenced by Sickcodes's research on Deere's digital infrastructure, which Willie Cade contributed to.

https://sick.codes/leaky-john-deere-apis-serious-food-supply-chain-vulnerabilities-discovered-by-sick-codes-kevin-kenney-willie-cade/

Sickcodes signed up for a free developer account with Deere and began probing the system. Within hours, they had discovered serious flaws in both Deere's website and mobile apps. For example, they were able to retrieve the names and addresses of farmers from the website.

They also propose a method for automating this attack, which would allow them to extract the names, addresses and other personal information of every John Deere customer, including make and model, which would facilitate over-the-air attacks on the tractors themselves.

The bugs that Sickcodes located are incredibly obvious and suggest that Deere's security is totally incompetent. This is especially grim in light of the fact that Deere has never submitted a single bug to the US government's CVE database of serious flaws.

A quote from Darpa's Molly Jahn in Security Ledger gives a sense of the gravity of the situation: "We can easily imagine timed interference with planting or harvest that could be devastating."

https://securityledger.com/2021/04/deere-john-researcher-warns-ag-giants-site-provides-a-map-to-customers-equipment/

Deere monopolized the ag-tech market with badly secured products that put the US food supply in serious risk. It operates no vulnerability disclosure, and it took legal measures to prohibit third parties from fixing its tractors to remediate the deadly flaws it ignores.

Deere argues that we can't trust third parties to service tractors because they might expose farmers to cyber-risk; but Deere itself is exposing those farmers to even graver risks.

Even if Deere had amazing cyber-security, we'd still want to be able to check its work and fix its mistakes. But it's not. Deere has prioritized securing its ability to harvest farmers over farmers' ability to harvest their crops.

(Image: CryteriaCC BY, modified)


No comments: