No one ever wants a group of hackers to say about their company: "We had the keys to the kingdom."
But that's exactly what the hacker Sick Codes said on this week's episode of Lock and Code, in speaking with host David Ruiz, when talking about his and fellow hackers' efforts to peer into John Deere's data operations center, where the company receives a near-endless stream of data from its Internet-connected tractors, combines, and other smart farming equipment.
For Sick Codes, what began as the discovery of a small flaw grew into a much larger group project that uncovered reams of sensitive information. Customer names, addresses, equipment type, equipment location, and equipment reservations were all uncovered by Sick Codes and his team, he said.
“A group of less than 10 people were able to pretty much get root on John Deere’s Operations Center, which connects to every other third party connectivity service that they have. You know, you can get every farms’ data, every farms’ water, I’m talking everything. We had like the keys to the kingdom. And that was just a few people in two days.”Sick Codes
During their investigation, Sick Codes also tried to report these vulnerabilities to the companies themselves. But his and his team's efforts were sometimes rebuffed. For one vulnerability, Sick Codes said, he was even pushed into staying quiet.
Listen to Sick Codes talk about his cyber investigation into agricultural companies, and his response to being led into a private disclosure program which he wanted nothing to do with, on this week's episode of Lock and Code.
Further, you can watch Sick Codes presentation at DEFCON on YouTube, and you can read a summary of the talk. The hackers who helped discover the vulnerabilities, which you can read about here, included:
- Sick Codes: Twitter account; Github account
- wabaf3t: Twitter account; Github account
- Ashish Kunwar: Twitter account; Github account
- ChiefCoolArrow: Twitter account
- John Jackson: Twitter account
- Robert Willis: Twitter account
- Higinio "w0rmer" Ochoa: Twitter account; LinkedIn account
- Kevin Kenney: Twitter account
- Willie Cade: Twitter account
- Kelly Kaoudis: Twitter account; Github account