Security researcher take-down of John Deere - "no security through obscurity"

Epic thread by Cory Doctorow centring on this research by “Sick Codes” revealing deep and massive insecurities in John Deere’s tractor software.

John Deere has long been very anti-Right to Repair, saying that they license the software to farmers. (Farmers ofc own the hardware and have no choice about what software to use. So do they really only the tractors?) One of John Deere’s stated reasons has been to prevent tampering. For example they claim users might use software to defeat the air quality settings in the tractor, among other things.

But just now researchers revealed with very little effort severe vulnerabilities. When they started on this journey, there was no way for them to formally report to John Deere. The story is quite hilarious in and of itself. However it’s also really potentially quite dangerous that malicious actors could control the largest fleet of tractors in the US.

Reminds of what Secure Repairs says “there is no security through obscurity”.

BTW if you know people working in infosec who would like to campaign for Right to Repair, send them to Secure Repairs.

1 Like