John Deere’s cybersecurity response to a discovered vulnerability was good. But a vulnerability on one of their six-figure autonomous farm vehicles that affects safety could be much worse.
John Deere’s website and owner application has been “hacked” by researcher SickCodes. Their cybersecurity response to the responsible disclosure was good: Within a week from notification they fixed issues and allowed publication of past vulnerabilities.
Two things that caught our eye were the fact that before this, John Deere had NO vulnerabilities (CVEs) published, and the fact that, according to the hacker, they had no externally-facing Vulnerability Disclosure Program. The researcher who found, responsibly disclosed, and later published the vulnerability was not happy with their response to his claims (since he got no bounty, and their Vulnerability Disclosure Program was created on the fly when he let them know about the bugs), yet even he commended them on the overall response.
As observers from the sidelines, we wish that all organizations who do not yet have a bug disclosure program in place would react as efficiently and responsibly as John Deere did.
When you read Lane Arthur’s interview on agriculture.com’s Technology News, you can see how the company was able to respond well; They are already well along their digital journey: they have 3rd-party partners for APIs using and enhancing data collected from their machines, timely releases and OTA distribution, security awareness with their developers, and a full-time Product Security team.
The impact of the vulnerability found on the John Deere website and application could have been leakage of owners’ personal data. A vulnerability on one of their six-figure autonomous farm vehicles that affects safety could be much worse.
The hacker attack led Joh Deere to accelerate their readiness for UN R155 (WP.29) by enabling their vulnerability disclosure program – a step towards an end-to-end security management system, as dictated by UN R155.