American agricultural machinery maker who was too vulnerable to hacking measures

At DEF CON 29, the developer conference held in August, Deere & Company, the world’s largest manufacturer of agricultural machinery, showed that the services were vulnerable to unauthorized access. Security company Kaspersky Lab draws attention by explaining the actual unauthorized access method and its impact.

Kevin Kenny, a member of the white hacker group (Sick.Codes), announced the unauthorized access technology to Dear & Company. He originally planned to acquire a Dear & Company distribution service developer account to verify unauthorized access. However, he forgot the username for the account he had created, and he said he tried entering multiple usernames on the account creation screen, but was able to check whether the username was already in use several times without showing complicated authentication. Because of this, he thought he could search for an unlimited username name on the Dear & Company account creation page.

He analyzed the Dear & Company account creation API to test the hypothesis. As a result, I succeeded in writing a script that continuously executes the API that retrieves the user name. As a result of using the script to search for 1,000 companies that are likely to have Dear & Company accounts, it was found that 192 out of 1,000 companies were using their usernames in 2 minutes.

Usually, the account creation system introduces a structure to prevent such indiscriminate searches. But Dear & Company, there is no such structure. In addition, Kenny tried to report this issue to Dear & Company, but the vulnerability reporting process was not clear and he only talked to the person in charge several times. He informed the company of the security vulnerability.

According to Kaspersky Lab, recently developed agricultural equipment is designed to allow remote operation of various parts. Therefore, if agricultural machinery and systems are hacked, attacks such as setting the amount of chemical fertilizer applied to hundreds of times the normal amount to render the soil unusable for several years, or remotely-operated power cutting equipment to stop the harvesting process, are possible. Such attacks will not only harm the owners of agricultural machinery, but also threaten to lead to a national food crisis. Related information can be found here.