[HN Gopher] Bugs allowed hackers to dox John Deere tractor owners
___________________________________________________________________
Bugs allowed hackers to dox John Deere tractor owners
Author : arkadiyt
Score : 243 points
Date : 2021-04-22 14:56 UTC (1 days ago)
(HTM) web link (www.vice.com)
(TXT) w3m dump (www.vice.com)
| cosmodisk wrote:
| The problem with a lot of these old school companies is that any
| development work would always be treated as 2nd tier. Very very
| few,if any, CEOs will go to their boards and admit that they've
| been behind with their tech for years and it'd take a lot of
| stones to move to change the way things are done. We all know
| them: crappy pay, work conditions similar to the comedy shows
| about office work,etc.
| universa1 wrote:
| Hmm... from personal experience I know that John Deere has
| multiple development centers around the world that definately
| do development on the edge of what is possible, and pushing
| that frontier...
|
| Disclaimer: Not in any associated/involved with John Deere.
| DetroitThrow wrote:
| >edge of what is possible, and pushing that frontier...
|
| While I understand JD has been ahead of other tractor
| manufacturers (electric, autonomous), the industry hasn't
| been anywhere close to on pace with the research investments
| made in these areas where the consumer auto industry has
| actually been pushing the frontier in research investment in
| these spaces for some time now - seems more like riding the
| wave than contributing to "frontier pushing" from their
| comparative R&D investment in these areas.
|
| That's not even to mention that it's not out of the
| imagination or even common experience to have a sitcom-tier
| office workplace where "interesting (to management)" teams
| are over-resourced while teams in charge of features that are
| less "interesting" but similarly important to user experience
| are under-resourced, seemingly in this case infosec. It's a
| common pattern of a company that may have lost sight of the
| customer, and in this case they exposed customer data.
|
| Disclaimer: not related to JD, competitors, or research
| mentioned in this post, but have experience with JD tractors
| and them being years behind on engineering but years ahead on
| right-to-repair advocacy.
| vsareto wrote:
| Consumer auto has different problems it needs to solve. A
| vision based system would be a waste of an investment when
| you have a field with basically no obstacles, and certainly
| no people and cars and traffic signs. It's closer to an
| aircraft autopilot in that respect.
| vsareto wrote:
| Idk about you, but self-driving tractors seem a bit better than
| 2nd tier developers. Some teams might be lower-end, which
| almost always happens at large companies. Many of them also
| integrate with the tools they're attached to. It's definitely
| not just line of business apps.
| kebman wrote:
| Is owning John Deere tractors somehow controversial, since
| they're talking about how owners were "doxed"? Is there a special
| place on the web where we can laugh at the hall of shame of John
| Deere tractor owners? Jokes aside, John Deere are pretty good
| tractors tho. Very common among farmers here in Norway. ^^
| arwhatever wrote:
| "Oh no, now I'm ruined!" :-)
| Black101 wrote:
| John Deere tractor owners have to be especially good at fixing
| stuff if they want to fix their own machinery, because like
| Phone manufacturers, John Deer try to block their customers
| from fixing their own machines.
| skinkestek wrote:
| > Very common among farmers here in Norway. ^^
|
| Another question: are Norwegians overrepresented here on HN?
| I've been wondering this for a while but I'm unsure if it is
| that or of I just happen to notice everyone who in any way
| signal that they are Norwegians.
|
| (Yes, I live in Norway to.)
| shsvsjx wrote:
| Well Norwegians are probably over represented than their
| share of the world population would suggest:
|
| 1. Northern Europeans tend to speak excellent English.
| Flawless English is the norm, anyway much better than people
| from my native countries.
|
| 2. Northern Europeans tend to have excellent technical skills
| compared to the world average.
|
| While both points help y'alls participation in HN, I think
| point 1 is the most important of the two. I rarely encounter
| comments from native Japanese or Koreans, even though their
| populations are much larger than Norway's. Typically the
| commenters have since moved to the US. I do, however,
| encounter non-IT ppl on HN that are very curious (and
| typically have interesting backstories). I especially enjoy
| the occasional comments from diesel mechanics.
|
| But you also have a strong observational bias. While the
| probability of seeing a Ferrari isnt too low the P of seeing
| two Ferrari's next to each other is very low... unless you
| happen to be driving one of the two Ferraris. Add to that
| that a car lover (ie Norwegian) is much more likely to notice
| the Ferrari (other Norwegians).
| kebman wrote:
| Well _Skinkestek_ is pretty hard to miss for other
| Norwegians. It means "Ham steak" in my language. :D Which
| reminds me... I have some in the fridge. Gonna roast it
| this weekend. Yum!
| LeifCarrotson wrote:
| I think the author was using "doxxed" to mean "discovered the
| ability to expose personal identifying information of", rather
| than "exposed personal identifying information with the intent
| to shame by publicizing said PIN". I agree that's not a very
| accurate usage.
|
| They're only slightly controversial here in the Midwestern US.
| Somewhat like Harley Davidson motorcycles, their users are
| highly brand loyal due more to historical factors than a modern
| quality or value comparison. Their owners can be derided for
| overpaying for underperforming tractors that can only be
| repaired by a dealer for exorbitant fees, the smart money is
| buying Kubota or Agco now. Though like a Honda rider in a biker
| bar, you want to be careful where you say that.
| cat199 wrote:
| I sometimes think john deere and harley and to a lesser
| extent ford/chevy are basically americana cults with
| merchandizing and machinery sales attached
| harveywi wrote:
| Now every litigious John Deere owner will also have a Case.
| jjtheblunt wrote:
| Excellent pun !
| kickout wrote:
| The lack of replies shows me how few 'farm oriented' people
| browse HN...Top notch pun
| salawat wrote:
| ...I only caught the legal connection, and assumed the Case
| was a capitalization error...
|
| Care to clue in someone whose cultivation experience
| terminates at a roto-tiller---
|
| Goddamnit. Nevermind. Just clicked. Well played.
| joshmanders wrote:
| I just saw it and truly appreciate it as a former farm kid
| who also got to "enjoy" 8 months working at John Deere here
| in Iowa, it gave me a hearty chuckle.
| bane wrote:
| For those in the big tech scene...it's not so weird to have
| technology in farm equipment. In fact, I _just_ listened to a
| podcast about a software developer who had spent time working for
| the welding division of caterpillar where they worked on some R
| &D problems over the last 40 years that are still not solved.
| protomyth wrote:
| Yeah, a lot of farmers are willing to try new things. The local
| farmers (ND outlaws corporate farming) bought a pretty
| expensive drone that has got to be about 5' ft across. Heck,
| combines are not exactly low tech these days.
| DavidPeiffer wrote:
| I'd be curious for the podcast link if you have it handy.
| tims33 wrote:
| So many of these old school industrial companies that are getting
| into IOT will have these issues. Who is building the Stripe for
| old school industrials going into IOT? I'm sure someone is
| building that Comoros.
| tryonenow wrote:
| This is arguably dangerous because I imagine tractor ownership is
| a strong prior for prediction of political affiliation. Just one
| of the many exploitable dangers of mass privacy invasion.
| HEHENE wrote:
| Having worked on a John Deere integration for an agtech company I
| can't say I'm surprised. The MyJohnDeere API had a lot of
| idiosyncrasies that smelled like inexperienced or mismanaged
| development, especially around authentication/authorization.
|
| At the time I was working on it they had some extremely arcane
| authentication process that required round-trip emails, various
| link clicking and code entering, and all kinds of craziness.
| Toward the end of my tenure our point of contact finally told us
| they were moving to OAuth but they had nearly zero documentation
| on it.
|
| For anyone who isn't knowledgable in the farming space, I'd
| highly recommend a browse through John Deere's API documentation
| [0]. Before the agtech gig I hadn't really given it a second
| though, but modern farms are very high tech operations. Really
| cool stuff happening in agtech.
|
| [0] https://developer-portal.deere.com/#/myjohndeere/api-
| invento...
| nightowl_games wrote:
| We need a new word for these high tech massive farming
| operations. I come from the Canadian farming sector. Most of
| the farmers here are individuals, or medium sized family
| operations. Even the big farms aren't "high tech". There just a
| lot of guys and a bunch of leased machines. We have essentially
| 0 "high tech" farms.
|
| I wouldn't say "modern farms are very high tech operations",
| I'd say "high tech industrial players are in the process of
| taking over western agriculture".
|
| The word "farm" mean something special to me, as I was born and
| raised on one. What your talking about is something completely
| different.
| MAGZine wrote:
| I'm curious to know what your standards for high tech are. I
| know that there are many farms in southern alberta who
| regularly get the latest farming equipment which includes
| john deere's that drive themselves.
|
| Hell, Lethbridge is home to at least one successful agtech
| biz, if not more. They're flying drones to analyze weed cover
| and optimize spraying based on positional data.
|
| It can be very high tech. I don't know what you're saying
| that it doesn't exist. It's happening in canada literally
| right now.
|
| That said a lot of these are for medium to large operations.
| Despite high tech, farmers who farm smaller plots generally
| have better yield. The automation has basically just let
| business expand into larger operations they might not
| otherwise have manpower or expertise to cover.
| commentingbadly wrote:
| > There just a lot of guys and a bunch of leased machines.
| We have essentially 0 "high tech" farms.
|
| I think OP might mean that these "high tech farms" are less
| like farms and more like movie studios. The tractor makers
| and the bank are acting like a movie studio. The are
| running a production in a certain area, with certain high
| tech equipment, with certain subleases on land for a
| certain number of years. There is no one driving vision and
| keeping the flame of what high tech should be. It's more
| like, "let's get this soy to market in the new way that is
| 7% cheaper before the other team does." Just a guess on
| what OP means
| cronix wrote:
| > What your talking about is something completely different.
|
| I wonder if farmers felt the same way when tractors first
| started coming onto the scene replacing ox/horses and a plow,
| or combines, or grain carts, or seed drills, or...
|
| Did you grow up using any of that at-the-time "high tech"
| equipment? It was high tech at some point, now just common
| tech. At what point is something considered "high tech?" If
| you were born in the age of cell phones, are they considered
| high tech, or just common tech you can find on any street
| corner like gumball machines? If you were born in the 1950's,
| does your opinion differ on cell phones from someone
| currently in their 20's who grew up with it and knew no other
| way?
|
| Technology fueled the Agricultural Revolution.
| https://www.thoughtco.com/agricultural-revolution-1991931
| hellbannedguy wrote:
| If a John Deere salesman knocked on that screen door 80
| years ago and said, "Mr. Farmer I have something that will
| make your life easier. The only drawback is when it breaks
| down, you can't buy parts, can't see repair documatation,
| and only pricy factory workers whom live far away will be
| able to repair the machine at set rates.
|
| The farmer would have slammed the door, and fed his horses.
| cto_of_antifa wrote:
| To be fair, if you made the pitch that way to farmer
| today they would as well - those points are all iffy.
|
| mostly, though, the nature of labor has completely and
| utterly changed in 80 years and comparing the two is like
| apples and oranges.
| salawat wrote:
| And yet... Deere still gets bought. So clearly someone
| isn't pointing out something they should be.
| analognoise wrote:
| Or the comparison is flawed, farmers aren't dumb and it
| makes economic sense to buy the Deere?
| cat199 wrote:
| > those points are all iffy.
|
| for tractors generally, maybe, but have read many things
| specifically about john deere being very DRM/anti repair,
| and a quick google seems to highlight that there are
| court battles being fought over exactly this right now.
|
| https://www.bloomberg.com/news/features/2020-03-05/farmer
| s-f...
| alricb wrote:
| Sovkhoz? That's what they called them in the soviet union.
| snarf21 wrote:
| For perspective, my parents both grew up on farms and I spent
| my summers on them. You are right but "farming" used to be a
| family with 3 acres and an ox and a plow. These small farms
| you lament are just as much a whole new world to the ox and
| plow as a 16/20 row combine that can process 150 acres a day
| is to your childhood. Efficiency comes from specialization
| which creates incentives for economies of scale. Software
| will continue to eat the world.
| universa1 wrote:
| hmm... having grown up on a farm in Germany and even though
| my father was only employed as the manager, it still felt
| more like "our" farm. It was definately a big farm compared
| to the german average, but then that average also includes a
| lot of part-time/side-business farms, where.
|
| Despite the size, the general methods between a smaller and a
| larger farm are not that different imho. But the amount of
| tech in a modern tractor was and still is amazing, and at the
| time the average car was definately not up to par.
| "automatic" GPS assisted driving, "laser" assisted driving
| (on harvesters). Beyond that, most of the "management" data
| was already digital 15 years ago, partly due to compliance
| requirements. And satellite imagery, soil samples, etc...
| were at least partly integrated.
|
| And I would still call this a farm! Times change, and
| clinging to the old times in some nostalgia doesn't help. (I
| don't want to imply that you do!)
|
| And on a slightly different perspective: I don't think bigger
| farms necessarily produce worse food, generate more
| externalities, etc... The processes are much more optimized,
| and at least I think the potential for better food with less
| externalities is with bigger farms. Also it is a somewhat
| bogus comparison: Mostly nobody complains that their car /
| laptop / smartphone comes from a factory, but for farming
| there is this strange preference for something of 50-100years
| past.
| GuB-42 wrote:
| > Also it is a somewhat bogus comparison: Mostly nobody
| complains that their car / laptop / smartphone comes from a
| factory, but for farming there is this strange preference
| for something of 50-100years past.
|
| It is not specific to farming. Handmade, artisan stuff
| sells well, even when it is objectively worse. And in
| general, people are more sympathetic to small businesses
| than big, faceless corporations. We value the human element
| I guess.
|
| As for food, we tend to equate big farms with everything
| bad with current agriculture, even if it doesn't have to do
| with it: crops bred for yield instead of taste/nutrition,
| monoculture with pesticides/herbicides, ... It is partly
| true because small, traditional farms then to focus on
| quality and ethics/sustainability/... rather than price,
| because they can't compete on price.
| throwaway0a5e wrote:
| Who's we?
|
| I know a guy who can't go through a drive through without
| lecturing everyone in the car about how being able to get
| 400kcal for a buck and a half is an amazing feat of
| societal progress. But he's old and emigrated from Poland
| so...
|
| My example may be an outlier but there's plenty of people
| who are happy to get Chilean produce in January and don't
| care how much methane their 75/25 beef emitted. HN has
| the spare cash and brain cycles to care about a lot of
| things that normal people don't even think about.
| xaedes wrote:
| For comparison: A regular buck (the animal) may have
| something around the 160000 kcal.
| speeder wrote:
| I think this is because when an artisan makes something,
| usually you know he tried hard, even if it ends being
| crap because subpar skills.
|
| With industrialized products you know they want it cheap,
| resulting in crap product that didn't need to be crap.
|
| For example once I had to repair my Electrolux fridge,
| when I opened it up I saw two very nasty things: 1. the
| holes between parts were all misaligned, to the point it
| was impossible to insert the screws intended to go in
| them. 2. it was then glued with a ton of glue spread
| "randomly" all over the place, it was obviously shoddy.
|
| And the issue I had to fix in that fridge? They used the
| cheapest "defrost" button they could, one that
| notoriously got stuck often, so your fridge would stay in
| "defrost" mode forever and stop working, the solution was
| disassemble it, force the button back with a screwdriver,
| assemble it again... every time you used the button.
| galangalalgol wrote:
| As to distrusting large companies, I think that is an
| intuitive understanding we have that in any organization
| larger than 100 people, it is likely led by a sociopath.
| They gravitate towards positions of power, they have
| superficial charm that hold in large groups where you
| don't get to know people well, and they occur at about 1
| in 100.
| throwaway0a5e wrote:
| Even ignoring leaders, once you get beyond 100-200 people
| responsibility is necessarily divided up such that people
| stop being responsible _for_ the organization and start
| being responsible _to_ the organization. And then the
| organization does sociopathic things things whether
| people want to or not. Even an organization 's leaders
| are subject to this. After all 100s of people's paychecks
| depend on their decisions. The more people you add, the
| more you divide up responsibility, the more you remove
| the leaders from the customers, the worse it gets.
| anonymfus wrote:
| I like the idea of SMBC author Zach Weinersmith to repurpose
| a word "villain" for them IIRC what he wrote on his twitter
| correctly.
| ABeeSea wrote:
| So said the blacksmith's son watching the invention of the
| steel press.
|
| "High tech industrial players are in the process of taking
| over western forgery."
| TheTester wrote:
| The industrial revolution and its consequences...
| nightowl_games wrote:
| Ya and we don't call a factory a Blacksmith now do we?
|
| "Modern blacksmiths sure are big!"
| ABeeSea wrote:
| Blacksmith was a job. Forge was the location. And
| industrial forges are very, very large.
|
| Blacksmith:Farmer::Forge:Farm
| hinkley wrote:
| Foundries were a thing, but even those are giving way to
| factories, right?
|
| I mean, someone will always make stock, but fewer
| companies melt metal these days, or at the very least
| relative to those that carve it up or weld it together
| (which may or may not involve a little melting, given
| spin welding and other techniques).
| ABeeSea wrote:
| Foundries and forges are different things.
|
| A forge is closer to what you would call a manufacturing
| factory:
|
| https://en.m.wikipedia.org/wiki/Forging
|
| A foundry smelts. But it is also technically a factory
| for input material. In the same way a sawmill is a
| factory.
|
| https://en.m.wikipedia.org/wiki/Foundry
| InitialLastName wrote:
| Yeah, "factory" is really the general term for a facility
| that adds value to inputs at an industrialized scale. A
| lay person would call everything from a smelting plant to
| an electronics assembly floor a "factory" and not be
| wrong.
|
| From a pre-industrial blacksmith's perspective, the
| bigger distinction might be between a "factory" and a
| "shop". The processes involved are effectively the same;
| the difference is the scale/flexibility tradeoff (a shop
| can make different things every day without added
| overhead, where a "factory" gains enormous efficiency by
| being configured to do a single process).
| yurielt wrote:
| Should I remember you that the industrial revolution and
| its consequences have been a disaster for humanity do you
| really want to have the farm equivalent of Rockefellers and
| Ford's ?
| frosted-flakes wrote:
| Factory farm.
| newsclues wrote:
| Southern Ontario has farm tiling fields with high tech gps
| tractors.
|
| Lots of tech for data and tracking
| louis___ wrote:
| > Really cool stuff happening in agtech.
|
| I don't know if I agree with you. These kind of agtech farms
| tend to get heavy on pesticides use and tillage, which on the
| long term kills the ground life.
|
| And it leaves the farmers' hands tied when a bug happens :
| https://www.vice.com/en/article/xykkkd/why-american-farmers-...
| p_l wrote:
| They tend to be because it's cheap and easy to be this way.
|
| Meanwhile they are also the biggest levers if appropriately
| motivated (whether by extra legal or legal incentives) to use
| better solutions.
| bordercases wrote:
| > They tend to be because it's cheap and easy to be this
| way.
|
| This is descriptively correct - and stupidly unsustainable.
| Something like 1/3 of US topsoil has already been consumed.
|
| Your second claim is vaguely correct but doesn't have much
| insight.
| batmaniam wrote:
| Where would one find these kind of jobs? Practically all job
| boards I see just list standard companies doing ads, or
| whatever.
| vladmk wrote:
| Lol this was literally my reply
| throwaway894345 wrote:
| I've worked as a contractor for John Deere, and I can vouch for
| "inexperienced and mismanaged development". I was working on
| the embedded side of the business, not the API side. Some
| interesting observations:
|
| * John Deere didn't hire anyone for a Software Engineering job
| unless they were a licensed engineer, at least in the area that
| I worked in. This meant a lot of EE and CE majors were writing
| the software and they pretty much all viewed software dev as "a
| foot in the door" to do the hardware work to which they
| aspired. This may not have been true across the company
| (perhaps only in the area that I worked in) and it may not be
| true today.
|
| * This also manifest in a culture that was utterly divorced
| from the rest of the software industry. They're just moving
| from subversion to git, much of their "CI/CD pipeline" was
| built with windows .bat scripts and code generation via excel
| files that take hours to run (I shit thee not). They build
| pretty much everything in-house from hardware to embedded
| operating systems, and their embedded codebases are littered
| with #ifdefs to conditionally compile different code snippets
| based on the specific model of tractor/comine/sprayer/etc and
| feature set that it is to be loaded onto. It's hard to put into
| writing how difficult this is to maintain.
|
| * They build everything in-house, but it's a big company and
| people just email around binaries for various development tools
| with no way to find the source code or even the author except
| to ask around. Submitting a patch to a dev tool is an enormous
| effort. Word is they're moving to GitHub, and I think it's
| going to be a game changer for developers.
|
| * Other than that, there's a long tail of other problems. IT
| seems to have management paranoid that if developers are too
| productive the hackers will steal their IP and the company will
| go under or something. So getting a server provisioned is a
| months-long affair and teams will occasionally just run a
| Jenkins server from a former coworker's desktop that IT forgot
| to pick up. There's a culture of "don't try to improve things
| that aren't immediately in your purview". They routinely pick
| tools that are abysmal to work with--I don't mean "everyone has
| different preferences", I mean "they bought SharePoint and made
| everyone use it, but didn't pay for the SharePoint consultants
| who program the software to be actually usable within an
| organization (I'm generously assuming that it's possible to
| make SharePoint usable--I'm not sure this is the case).
|
| All of that said, John Deere has some _really cool_ problems
| that would be really fun to work on if not for all of their
| organizational issues. They had self driving tech years before
| anyone else, they have a vast array of vehicles that run these
| distributed networks of embedded controllers, they make their
| own hardware and software (which could be a lot of fun to work
| on if managed properly), they aspire to use ag data to improve
| yields and have a credible path forward (as opposed to the
| "step 1: use big data, step 2: profit!" sense). Additionally, I
| think they probably are innovative and well-run in many non-
| software respects, but I'm not qualified to comment.
|
| Similarly, for all of its issues (including hostility toward
| folks who want to repair their vehicles), I really want them to
| turn a corner and succeed because agtech is really cool and
| they're an American Icon with a (increasingly tarnished)
| reputation for quality, innovation, and providing quality jobs.
| I wish them the best and maybe one day I'll apply and try and
| help from within.
| torh wrote:
| > Sick Codes said he could iterate and brute force all VIN
| numbers in the database, as they were "sequential," according to
| him
|
| Seems like they didn't think that people would enter someone
| else's VIN. A few years back I discovered that I could get
| activation code for a map update in my car simply by entering my
| VIN and the product number of the DVDs with the map update.
|
| They gave me a list to choose from when I enterd my VIN, but that
| didn't stop me from asking for a different product -- and they
| gladly sent me an email with the matching code.
|
| PS: I'm also from Norway. I see that's a thing now.
| bri3d wrote:
| This is pretty common, oftentimes cars with parts restricted to
| VIN (special editions, etc.) or online manual or software
| download portals will ask for a VIN. Sometimes this is to
| verify parts fitment and sometimes it is to attempt to rate-
| limit parts purchase (i.e. - to keep a dealer from buying 100
| sets of "special edition" wheels and reselling them, they need
| to supply a unique VIN for each).
|
| The difference is that these are usually an extremely basic
| (and ultimately pointless) authentication test, not a way to
| download PII.
| trollied wrote:
| I'm not surprised by this. They've made themselves a target
| because of their Right To Repair shenanigans.
| https://www.extremetech.com/electronics/320183-john-deere-fa...
| ourmandave wrote:
| How is doxing some guy who bought a tractor sticking it to JD?
|
| That's just a hacker being an asshole.
| bigfuggin wrote:
| From the article:
|
| > There is no evidence that hackers exploited these flaws.
| The researcher, who goes by Sick Codes, reported them to John
| Deere on April 12 and 13...
| vladmk wrote:
| I once had a company ask me to white label our agency and resell
| to these guys.
|
| Long story short they're def not tech savvy
| paulcarroty wrote:
| Cool, heard good things about his Docker-OSX project:
| https://github.com/sickcodes/Docker-OSX
| mkoubaa wrote:
| Serious question if you aren't a security pro what do you have to
| do to make sure your software is secure? Just follow best
| practices and contract a pen tester?
___________________________________________________________________
(page generated 2021-04-23 23:02 UTC)