John Deere security flaws exposed sensitive customer information - Revision history

Marc84: /* References */ Update archive link (was bad snapshot).

2026-04-01T00:46:27Z

References: Update archive link (was bad snapshot).

← Older revision		Revision as of 00:46, 1 April 2026
Line 18:		Line 18:

	===John Deere's response===		===John Deere's response===
	In the immediate aftermath of the incident, John Deere posted a spate of job openings for embedded cyber security engineers to “drive embedded software cybersecurity requirements and security features development” as well as “develop threat models using industry best practices.<ref>{{Cite web\|url=https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/\|publisher=Forbes\|title=184 Years In: Ag Giant John Deere Awaits Its First Software Vulnerability\|author=Paul F. Roberts\|date=14 Apr 2021\|format=article \|archive-url=http://web.archive.org/web/20250723050713/https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/ \|archive-date=23 Jul 2025}}</ref> The company also wrote, "This week's forecast: one to three inches of nonsense", which can be interpreted as denying that the recent security flaws were severe.<ref name=":2">{{Cite web \|author=Louis Rossmann \|date=25 Apr 2021 \|title=John Deere instigates hackers, gets hacked again \|url=https://www.youtube.com/watch?v=rB_SleNKBus \|publisher=YouTube \|language=en \|format=video \|ref=Rossmann-video-2 \|archive-url=https://preservetube.com/watch?v=rB_SleNKBus \|archive-date=23 Feb 2026}}</ref> John Deere addressed it by stating "We investigated immediately, and the misconfigurations were fixed right away. The important take away here is that our customers' sensitive personal or business information, including financial and agronomic data, was never accessed, which is a point that didn’t come through in the article."<ref>{{Cite web\|url=https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world\|~~title~~=~~John Deere Addresses the Ongoing Risks of Living in a Digital World\|author=Laurie Bedord\|date=23 Apr 2021\|language=en\|format=article\|publisher=Successful Farming~~ \|archive-url=http://web.archive.org/web/~~20250723043851~~/https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world \|archive-date=~~23 Jul 2025~~}}</ref> However, their claims seem to be not true, because the researcher claims they could access the data.<ref name=":0" /><ref name=":1" /><ref name=":2" /> Later in 2024, John Deere also partnered with HackerOne to enhance collaborative relationships with security researchers.<ref>{{Cite web\|url=https://www.deere.com/en/our-company/digital-security/hackerone-program/\|format=press release\|publisher=John Deere\|title=Deere Bolsters Information Security With HackerOne Program \|archive-url=http://web.archive.org/web/20250708172955/https://www.deere.com/en/our-company/digital-security/hackerone-program/ \|archive-date=8 Jul 2025}}</ref>		In the immediate aftermath of the incident, John Deere posted a spate of job openings for embedded cyber security engineers to “drive embedded software cybersecurity requirements and security features development” as well as “develop threat models using industry best practices.<ref>{{Cite web\|url=https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/\|publisher=Forbes\|title=184 Years In: Ag Giant John Deere Awaits Its First Software Vulnerability\|author=Paul F. Roberts\|date=14 Apr 2021\|format=article \|archive-url=http://web.archive.org/web/20250723050713/https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/ \|archive-date=23 Jul 2025}}</ref> The company also wrote, "This week's forecast: one to three inches of nonsense", which can be interpreted as denying that the recent security flaws were severe.<ref name=":2">{{Cite web \|author=Louis Rossmann \|date=25 Apr 2021 \|title=John Deere instigates hackers, gets hacked again \|url=https://www.youtube.com/watch?v=rB_SleNKBus \|publisher=YouTube \|language=en \|format=video \|ref=Rossmann-video-2 \|archive-url=https://preservetube.com/watch?v=rB_SleNKBus \|archive-date=23 Feb 2026}}</ref> John Deere addressed it by stating "We investigated immediately, and the misconfigurations were fixed right away. The important take away here is that our customers' sensitive personal or business information, including financial and agronomic data, was never accessed, which is a point that didn’t come through in the article."<ref>{{Cite web \|author=Bedord \|first=Laurie \|date=23 Apr 2021 \|title=John Deere Addresses the Ongoing Risks of Living in a Digital World \|url=https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world \|url-status=live \|archive-url=http://web.archive.org/web/20210426083343/https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world \|archive-date=26 Apr 2021 \|publisher=Successful Farming \|language=en \|format=article}}</ref> However, their claims seem to be not true, because the researcher claims they could access the data.<ref name=":0" /><ref name=":1" /><ref name=":2" /> Later in 2024, John Deere also partnered with HackerOne to enhance collaborative relationships with security researchers.<ref>{{Cite web\|url=https://www.deere.com/en/our-company/digital-security/hackerone-program/\|format=press release\|publisher=John Deere\|title=Deere Bolsters Information Security With HackerOne Program \|archive-url=http://web.archive.org/web/20250708172955/https://www.deere.com/en/our-company/digital-security/hackerone-program/ \|archive-date=8 Jul 2025}}</ref>

	==References==		==References==

Reform: Added a date at start of a paragraph to note it as history rather than ongoing

2026-03-27T17:03:03Z

Added a date at start of a paragraph to note it as history rather than ongoing

← Older revision		Revision as of 17:03, 27 March 2026
Line 10:		Line 10:
	\|Description=John Deere allegedly lied about the severity of publicized vulnerabilities in their software.		\|Description=John Deere allegedly lied about the severity of publicized vulnerabilities in their software.
	}}		}}
	A number of security flaws in the software [[John Deere\|'''John Deere''']] provided could have allowed hackers to find and download the personal data of all owners of the company’s farming vehicles and equipment. John Deere downplayed the impact while simultaneously increasing their security practices, as security jobs opened and they started to partner with security researchers.		In 2021, a number of security flaws in the software [[John Deere\|'''John Deere''']] provided could have allowed hackers to find and download the personal data of all owners of the company’s farming vehicles and equipment. John Deere downplayed the impact while simultaneously increasing their security practices, as security jobs opened and they started to partner with security researchers.

	==Security flaws and the reporting process==		==Security flaws and the reporting process==
Line 18:		Line 18:

	===John Deere's response===		===John Deere's response===
	In the immediate aftermath of the incident, John Deere posted a spate of job openings for embedded cyber security engineers to “drive embedded software cybersecurity requirements and security features development” as well as “develop threat models using industry best practices.<ref>{{Cite web\|url=https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/\|publisher=Forbes\|title=184 Years In: Ag Giant John Deere Awaits Its First Software Vulnerability\|author=Paul F. Roberts\|date=14 Apr 2021\|format=article \|archive-url=http://web.archive.org/web/20250723050713/https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/ \|archive-date=23 Jul 2025}}</ref> The company also wrote, "This week's forecast: one to three inches of nonsense", which can be interpreted as denying that the recent security flaws were severe.<ref name=":2">{{Cite web \|author=Louis Rossmann \|date=25 Apr 2021 \|title=John Deere instigates hackers, gets hacked again \|url=https://www.youtube.com/watch?v=rB_SleNKBus \|publisher=YouTube \|language=en \|format=video \|ref=Rossmann-video-2 \|archive-url=https://preservetube.com/watch?v=rB_SleNKBus \|archive-date=23 Feb 2026}}</ref> John Deere addressed it by stating "We investigated immediately, and the misconfigurations were fixed right away. The important take away here is that our customers' sensitive personal or business information, including financial and agronomic data, was never accessed, which is a point that didn’t come through in the article."<ref>{{Cite web\|url=https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world\|title=John Deere Addresses the Ongoing Risks of Living in a Digital World\|author=Laurie Bedord\|date=23 Apr 2021\|language=en\|format=article\|publisher=Successful Farming \|archive-url=http://web.archive.org/web/20250723043851/https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world \|archive-date=23 Jul 2025}}</ref> However, their claims seem to be not true, because the researcher claims they could access the data.<ref name=":0" /><ref name=":1" /><ref name=":2" />		In the immediate aftermath of the incident, John Deere posted a spate of job openings for embedded cyber security engineers to “drive embedded software cybersecurity requirements and security features development” as well as “develop threat models using industry best practices.<ref>{{Cite web\|url=https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/\|publisher=Forbes\|title=184 Years In: Ag Giant John Deere Awaits Its First Software Vulnerability\|author=Paul F. Roberts\|date=14 Apr 2021\|format=article \|archive-url=http://web.archive.org/web/20250723050713/https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/ \|archive-date=23 Jul 2025}}</ref> The company also wrote, "This week's forecast: one to three inches of nonsense", which can be interpreted as denying that the recent security flaws were severe.<ref name=":2">{{Cite web \|author=Louis Rossmann \|date=25 Apr 2021 \|title=John Deere instigates hackers, gets hacked again \|url=https://www.youtube.com/watch?v=rB_SleNKBus \|publisher=YouTube \|language=en \|format=video \|ref=Rossmann-video-2 \|archive-url=https://preservetube.com/watch?v=rB_SleNKBus \|archive-date=23 Feb 2026}}</ref> John Deere addressed it by stating "We investigated immediately, and the misconfigurations were fixed right away. The important take away here is that our customers' sensitive personal or business information, including financial and agronomic data, was never accessed, which is a point that didn’t come through in the article."<ref>{{Cite web\|url=https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world\|title=John Deere Addresses the Ongoing Risks of Living in a Digital World\|author=Laurie Bedord\|date=23 Apr 2021\|language=en\|format=article\|publisher=Successful Farming \|archive-url=http://web.archive.org/web/20250723043851/https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world \|archive-date=23 Jul 2025}}</ref> However, their claims seem to be not true, because the researcher claims they could access the data.<ref name=":0" /><ref name=":1" /><ref name=":2" /> Later in 2024, John Deere also partnered with HackerOne to enhance collaborative relationships with security researchers.<ref>{{Cite web\|url=https://www.deere.com/en/our-company/digital-security/hackerone-program/\|format=press release\|publisher=John Deere\|title=Deere Bolsters Information Security With HackerOne Program \|archive-url=http://web.archive.org/web/20250708172955/https://www.deere.com/en/our-company/digital-security/hackerone-program/ \|archive-date=8 Jul 2025}}</ref>

	Later in 2024, John Deere also partnered with HackerOne to enhance collaborative relationships with security researchers.<ref>{{Cite web\|url=https://www.deere.com/en/our-company/digital-security/hackerone-program/\|format=press release\|publisher=John Deere\|title=Deere Bolsters Information Security With HackerOne Program \|archive-url=http://web.archive.org/web/20250708172955/https://www.deere.com/en/our-company/digital-security/hackerone-program/ \|archive-date=8 Jul 2025}}</ref>

	==References==		==References==

IronRune: Style edit

2026-03-14T18:05:25Z

Style edit

← Older revision		Revision as of 18:05, 14 March 2026
Line 10:		Line 10:
	\|Description=John Deere allegedly lied about the severity of publicized vulnerabilities in their software.		\|Description=John Deere allegedly lied about the severity of publicized vulnerabilities in their software.
	}}		}}
	A number of security flaws in the software [[John Deere\|'''John Deere''']] provided could have allowed hackers to find and download the personal data of all owners of the company’s farming vehicles and equipment. John Deere downplayed the impact while simultaneously increasing their security practices, as security jobs opened and they started to partner up with security researchers.		A number of security flaws in the software [[John Deere\|'''John Deere''']] provided could have allowed hackers to find and download the personal data of all owners of the company’s farming vehicles and equipment. John Deere downplayed the impact while simultaneously increasing their security practices, as security jobs opened and they started to partner with security researchers.

	==Security flaws and the reporting process==		==Security flaws and the reporting process==
	A security researcher with the alias Sick Codes found severe vulnerabilities in John Deere's software.<ref name=":0">{{Cite web\|url=https://www.vice.com/en/article/bugs-allowed-hackers-to-dox-all-john-deere-owners/\|publisher=Vice Media\|title=Bugs Allowed Hackers to Dox John Deere Tractor Owners\|author=Lorenzo Franceschi-Bicchierai\|date=22 April 2021\|language=en\|format=article \|archive-url=http://web.archive.org/web/20251219042942/https://www.vice.com/en/article/bugs-allowed-hackers-to-dox-all-john-deere-owners/ \|archive-date=19 Dec 2025}}</ref> Although ~~John Deere~~ confirmed the existence of the vulnerabilities, they downplayed their impact by stating it was remediated and it did not give "access to customer accounts, dealer accounts, or sensitive personal information."<ref name=":0" /> This was not true according to the security researcher, because on newer farm equipment, the vehicle or equipment owner’s name, their physical address, the equipment’s unique ID, and its Vehicle Identification Number can be seen.<ref name=":0" />		A security researcher with the alias Sick Codes found severe vulnerabilities in John Deere's software.<ref name=":0">{{Cite web\|url=https://www.vice.com/en/article/bugs-allowed-hackers-to-dox-all-john-deere-owners/\|publisher=Vice Media\|title=Bugs Allowed Hackers to Dox John Deere Tractor Owners\|author=Lorenzo Franceschi-Bicchierai\|date=22 April 2021\|language=en\|format=article \|archive-url=http://web.archive.org/web/20251219042942/https://www.vice.com/en/article/bugs-allowed-hackers-to-dox-all-john-deere-owners/ \|archive-date=19 Dec 2025}}</ref> Although the company confirmed the existence of the vulnerabilities, they downplayed their impact by stating it was remediated and it did not give "access to customer accounts, dealer accounts, or sensitive personal information."<ref name=":0" /> This was not true according to the security researcher, because on newer farm equipment, the vehicle or equipment owner’s name, their physical address, the equipment’s unique ID, and its Vehicle Identification Number can be seen.<ref name=":0" />

	Besides the security flaws, another major part of the controversy was about ~~the way~~ John Deere handled the reporting of security flaws. The researcher claimed ~~it was researched with~~ a developer account, and the ~~current~~ terms and conditions<ref>{{Cite web\|url=https://www.deere.com/en/forms/corporate/it-security-consulting/\|archive-url=https://web.archive.org/web/20210424021348/https://www.deere.com/en/forms/corporate/it-security-consulting/\|archive-date=24 Apr 2021\|url-status=dead\|title=Global Security Request form with terms on personal data and privacy\|publisher=John Deere\|language=en}}</ref> for disclosing were followed, but were removed after the incident~~, among other issues like the previously mentioned downplaying of the impact~~.<ref name=":1">{{Cite web \|author=Louis Rossmann \|date=22 Apr 2021 \|title=John Deere security flaw exposed address of every customer & more! \|url=https://www.youtube.com/watch?v=hqablgjQ02g \|publisher=YouTube \|language=en \|format=video \|ref=Rossmann-video-1 \|archive-url=https://preservetube.com/watch?v=hqablgjQ02g \|archive-date=23 Feb 2026}}</ref>		Besides the security flaws, another major part of the controversy was about how John Deere handled the reporting of security flaws. The researcher claimed the flaws were found using a developer account and the terms and conditions<ref>{{Cite web\|url=https://www.deere.com/en/forms/corporate/it-security-consulting/\|archive-url=https://web.archive.org/web/20210424021348/https://www.deere.com/en/forms/corporate/it-security-consulting/\|archive-date=24 Apr 2021\|url-status=dead\|title=Global Security Request form with terms on personal data and privacy\|publisher=John Deere\|language=en}}</ref> for disclosing vulnerabilities were followed, but were removed after the incident.<ref name=":1">{{Cite web \|author=Louis Rossmann \|date=22 Apr 2021 \|title=John Deere security flaw exposed address of every customer & more! \|url=https://www.youtube.com/watch?v=hqablgjQ02g \|publisher=YouTube \|language=en \|format=video \|ref=Rossmann-video-1 \|archive-url=https://preservetube.com/watch?v=hqablgjQ02g \|archive-date=23 Feb 2026}}</ref>

	===John Deere's response===		===John Deere's response===
	In the immediate aftermath of the incident, John Deere posted a spate of job openings for embedded cyber security engineers to “drive embedded software cybersecurity requirements and security features development” as well as “develop threat models using industry best practices.<ref>{{Cite web\|url=https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/\|publisher=Forbes\|title=184 Years In: Ag Giant John Deere Awaits Its First Software Vulnerability\|author=Paul F. Roberts\|date=14 Apr 2021\|format=article \|archive-url=http://web.archive.org/web/20250723050713/https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/ \|archive-date=23 Jul 2025}}</ref> ~~Also, soon after the incident, John Deere~~ wrote, "This week's forecast: one to three inches of nonsense", which can be interpreted as denying that the recent security flaws were severe.<ref name=":2">{{Cite web \|author=Louis Rossmann \|date=25 Apr 2021 \|title=John Deere instigates hackers, gets hacked again \|url=https://www.youtube.com/watch?v=rB_SleNKBus \|publisher=YouTube \|language=en \|format=video \|ref=Rossmann-video-2 \|archive-url=https://preservetube.com/watch?v=rB_SleNKBus \|archive-date=23 Feb 2026}}</ref> John Deere addressed it by stating "We investigated immediately, and the misconfigurations were fixed right away. The important take away here is that our customers' sensitive personal or business information, including financial and agronomic data, was never accessed, which is a point that didn’t come through in the article."<ref>{{Cite web\|url=https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world\|title=John Deere Addresses the Ongoing Risks of Living in a Digital World\|author=Laurie Bedord\|date=23 Apr 2021\|language=en\|format=article\|publisher=Successful Farming \|archive-url=http://web.archive.org/web/20250723043851/https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world \|archive-date=23 Jul 2025}}</ref> However, their claims seem to be not true, because the researcher claims they could access the data.<ref name=":0" /><ref name=":1" /><ref name=":2" />		In the immediate aftermath of the incident, John Deere posted a spate of job openings for embedded cyber security engineers to “drive embedded software cybersecurity requirements and security features development” as well as “develop threat models using industry best practices.<ref>{{Cite web\|url=https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/\|publisher=Forbes\|title=184 Years In: Ag Giant John Deere Awaits Its First Software Vulnerability\|author=Paul F. Roberts\|date=14 Apr 2021\|format=article \|archive-url=http://web.archive.org/web/20250723050713/https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/ \|archive-date=23 Jul 2025}}</ref> The company also wrote, "This week's forecast: one to three inches of nonsense", which can be interpreted as denying that the recent security flaws were severe.<ref name=":2">{{Cite web \|author=Louis Rossmann \|date=25 Apr 2021 \|title=John Deere instigates hackers, gets hacked again \|url=https://www.youtube.com/watch?v=rB_SleNKBus \|publisher=YouTube \|language=en \|format=video \|ref=Rossmann-video-2 \|archive-url=https://preservetube.com/watch?v=rB_SleNKBus \|archive-date=23 Feb 2026}}</ref> John Deere addressed it by stating "We investigated immediately, and the misconfigurations were fixed right away. The important take away here is that our customers' sensitive personal or business information, including financial and agronomic data, was never accessed, which is a point that didn’t come through in the article."<ref>{{Cite web\|url=https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world\|title=John Deere Addresses the Ongoing Risks of Living in a Digital World\|author=Laurie Bedord\|date=23 Apr 2021\|language=en\|format=article\|publisher=Successful Farming \|archive-url=http://web.archive.org/web/20250723043851/https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world \|archive-date=23 Jul 2025}}</ref> However, their claims seem to be not true, because the researcher claims they could access the data.<ref name=":0" /><ref name=":1" /><ref name=":2" />

	~~Quite a bit later~~ in 2024, John Deere ~~has~~ also partnered up with HackerOne to enhance collaborative relationships with security researchers.<ref>{{Cite web\|url=https://www.deere.com/en/our-company/digital-security/hackerone-program/\|format=press release\|publisher=John Deere\|title=Deere Bolsters Information Security With HackerOne Program \|archive-url=http://web.archive.org/web/20250708172955/https://www.deere.com/en/our-company/digital-security/hackerone-program/ \|archive-date=8 Jul 2025}}</ref>		Later in 2024, John Deere also partnered with HackerOne to enhance collaborative relationships with security researchers.<ref>{{Cite web\|url=https://www.deere.com/en/our-company/digital-security/hackerone-program/\|format=press release\|publisher=John Deere\|title=Deere Bolsters Information Security With HackerOne Program \|archive-url=http://web.archive.org/web/20250708172955/https://www.deere.com/en/our-company/digital-security/hackerone-program/ \|archive-date=8 Jul 2025}}</ref>

	==References==		==References==

Bananabot: Added archive URLs for 6 citation(s) using CRWCitationBot

2026-02-23T05:37:35Z

Added archive URLs for 6 citation(s) using CRWCitationBot

← Older revision		Revision as of 05:37, 23 February 2026
Line 13:		Line 13:

	==Security flaws and the reporting process==		==Security flaws and the reporting process==
	A security researcher with the alias Sick Codes found severe vulnerabilities in John Deere's software.<ref name=":0">{{Cite web\|url=https://www.vice.com/en/article/bugs-allowed-hackers-to-dox-all-john-deere-owners/\|publisher=Vice Media\|title=Bugs Allowed Hackers to Dox John Deere Tractor Owners\|author=Lorenzo Franceschi-Bicchierai\|date=22 April 2021\|language=en\|format=article}}</ref> Although John Deere confirmed the existence of the vulnerabilities, they downplayed their impact by stating it was remediated and it did not give "access to customer accounts, dealer accounts, or sensitive personal information."<ref name=":0" /> This was not true according to the security researcher, because on newer farm equipment, the vehicle or equipment owner’s name, their physical address, the equipment’s unique ID, and its Vehicle Identification Number can be seen.<ref name=":0" />		A security researcher with the alias Sick Codes found severe vulnerabilities in John Deere's software.<ref name=":0">{{Cite web\|url=https://www.vice.com/en/article/bugs-allowed-hackers-to-dox-all-john-deere-owners/\|publisher=Vice Media\|title=Bugs Allowed Hackers to Dox John Deere Tractor Owners\|author=Lorenzo Franceschi-Bicchierai\|date=22 April 2021\|language=en\|format=article \|archive-url=http://web.archive.org/web/20251219042942/https://www.vice.com/en/article/bugs-allowed-hackers-to-dox-all-john-deere-owners/ \|archive-date=19 Dec 2025}}</ref> Although John Deere confirmed the existence of the vulnerabilities, they downplayed their impact by stating it was remediated and it did not give "access to customer accounts, dealer accounts, or sensitive personal information."<ref name=":0" /> This was not true according to the security researcher, because on newer farm equipment, the vehicle or equipment owner’s name, their physical address, the equipment’s unique ID, and its Vehicle Identification Number can be seen.<ref name=":0" />

	Besides the security flaws, another major part of the controversy was about the way John Deere handled the reporting of security flaws. The researcher claimed it was researched with a developer account, and the current terms and conditions<ref>{{Cite web\|url=https://www.deere.com/en/forms/corporate/it-security-consulting/\|archive-url=https://web.archive.org/web/20210424021348/https://www.deere.com/en/forms/corporate/it-security-consulting/\|archive-date=24 Apr 2021\|url-status=dead\|title=Global Security Request form with terms on personal data and privacy\|publisher=John Deere\|language=en}}</ref> for disclosing were followed, but were removed after the incident, among other issues like the previously mentioned downplaying of the impact.<ref name=":1">{{Cite web \|author=Louis Rossmann \|date=22 Apr 2021 \|title=John Deere security flaw exposed address of every customer & more! \|url=https://www.youtube.com/watch?v=hqablgjQ02g \|publisher=YouTube \|language=en \|format=video \|ref=Rossmann-video-1}}</ref>		Besides the security flaws, another major part of the controversy was about the way John Deere handled the reporting of security flaws. The researcher claimed it was researched with a developer account, and the current terms and conditions<ref>{{Cite web\|url=https://www.deere.com/en/forms/corporate/it-security-consulting/\|archive-url=https://web.archive.org/web/20210424021348/https://www.deere.com/en/forms/corporate/it-security-consulting/\|archive-date=24 Apr 2021\|url-status=dead\|title=Global Security Request form with terms on personal data and privacy\|publisher=John Deere\|language=en}}</ref> for disclosing were followed, but were removed after the incident, among other issues like the previously mentioned downplaying of the impact.<ref name=":1">{{Cite web \|author=Louis Rossmann \|date=22 Apr 2021 \|title=John Deere security flaw exposed address of every customer & more! \|url=https://www.youtube.com/watch?v=hqablgjQ02g \|publisher=YouTube \|language=en \|format=video \|ref=Rossmann-video-1 \|archive-url=https://preservetube.com/watch?v=hqablgjQ02g \|archive-date=23 Feb 2026}}</ref>

	===John Deere's response===		===John Deere's response===
	In the immediate aftermath of the incident, John Deere posted a spate of job openings for embedded cyber security engineers to “drive embedded software cybersecurity requirements and security features development” as well as “develop threat models using industry best practices.<ref>{{Cite web\|url=https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/\|publisher=Forbes\|title=184 Years In: Ag Giant John Deere Awaits Its First Software Vulnerability\|author=Paul F. Roberts\|date=14 Apr 2021\|format=article}}</ref> Also, soon after the incident, John Deere wrote, "This week's forecast: one to three inches of nonsense", which can be interpreted as denying that the recent security flaws were severe.<ref name=":2">{{Cite web \|author=Louis Rossmann \|date=25 Apr 2021 \|title=John Deere instigates hackers, gets hacked again \|url=https://www.youtube.com/watch?v=rB_SleNKBus \|publisher=YouTube \|language=en \|format=video \|ref=Rossmann-video-2}}</ref> John Deere addressed it by stating "We investigated immediately, and the misconfigurations were fixed right away. The important take away here is that our customers' sensitive personal or business information, including financial and agronomic data, was never accessed, which is a point that didn’t come through in the article."<ref>{{Cite web\|url=https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world\|title=John Deere Addresses the Ongoing Risks of Living in a Digital World\|author=Laurie Bedord\|date=23 Apr 2021\|language=en\|format=article\|publisher=Successful Farming}}</ref> However, their claims seem to be not true, because the researcher claims they could access the data.<ref name=":0" /><ref name=":1" /><ref name=":2" />		In the immediate aftermath of the incident, John Deere posted a spate of job openings for embedded cyber security engineers to “drive embedded software cybersecurity requirements and security features development” as well as “develop threat models using industry best practices.<ref>{{Cite web\|url=https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/\|publisher=Forbes\|title=184 Years In: Ag Giant John Deere Awaits Its First Software Vulnerability\|author=Paul F. Roberts\|date=14 Apr 2021\|format=article \|archive-url=http://web.archive.org/web/20250723050713/https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/ \|archive-date=23 Jul 2025}}</ref> Also, soon after the incident, John Deere wrote, "This week's forecast: one to three inches of nonsense", which can be interpreted as denying that the recent security flaws were severe.<ref name=":2">{{Cite web \|author=Louis Rossmann \|date=25 Apr 2021 \|title=John Deere instigates hackers, gets hacked again \|url=https://www.youtube.com/watch?v=rB_SleNKBus \|publisher=YouTube \|language=en \|format=video \|ref=Rossmann-video-2 \|archive-url=https://preservetube.com/watch?v=rB_SleNKBus \|archive-date=23 Feb 2026}}</ref> John Deere addressed it by stating "We investigated immediately, and the misconfigurations were fixed right away. The important take away here is that our customers' sensitive personal or business information, including financial and agronomic data, was never accessed, which is a point that didn’t come through in the article."<ref>{{Cite web\|url=https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world\|title=John Deere Addresses the Ongoing Risks of Living in a Digital World\|author=Laurie Bedord\|date=23 Apr 2021\|language=en\|format=article\|publisher=Successful Farming \|archive-url=http://web.archive.org/web/20250723043851/https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world \|archive-date=23 Jul 2025}}</ref> However, their claims seem to be not true, because the researcher claims they could access the data.<ref name=":0" /><ref name=":1" /><ref name=":2" />

	Quite a bit later in 2024, John Deere has also partnered up with HackerOne to enhance collaborative relationships with security researchers.<ref>{{Cite web\|url=https://www.deere.com/en/our-company/digital-security/hackerone-program/\|format=press release\|publisher=John Deere\|title=Deere Bolsters Information Security With HackerOne Program}}</ref>		Quite a bit later in 2024, John Deere has also partnered up with HackerOne to enhance collaborative relationships with security researchers.<ref>{{Cite web\|url=https://www.deere.com/en/our-company/digital-security/hackerone-program/\|format=press release\|publisher=John Deere\|title=Deere Bolsters Information Security With HackerOne Program \|archive-url=http://web.archive.org/web/20250708172955/https://www.deere.com/en/our-company/digital-security/hackerone-program/ \|archive-date=8 Jul 2025}}</ref>

	==References==		==References==

Bythmusters: Added cargo template

2026-01-13T11:42:29Z

Added cargo template

← Older revision		Revision as of 11:42, 13 January 2026
Line 1:		Line 1:
			{{IncidentCargo
			\|Company=John Deere
			\|StartDate=2021-4-22
			\|EndDate=
			\|Status=Resolved
			\|ProductLine=
			\|Product=
			\|ArticleType=Product
			\|Type=Privacy, Security
			\|Description=John Deere allegedly lied about the severity of publicized vulnerabilities in their software.
			}}
	A number of security flaws in the software [[John Deere\|'''John Deere''']] provided could have allowed hackers to find and download the personal data of all owners of the company’s farming vehicles and equipment. John Deere downplayed the impact while simultaneously increasing their security practices, as security jobs opened and they started to partner up with security researchers.		A number of security flaws in the software [[John Deere\|'''John Deere''']] provided could have allowed hackers to find and download the personal data of all owners of the company’s farming vehicles and equipment. John Deere downplayed the impact while simultaneously increasing their security practices, as security jobs opened and they started to partner up with security researchers.

Emanuele at 20:15, 30 March 2025

2025-03-30T20:15:34Z

← Older revision		Revision as of 20:15, 30 March 2025
Line 1:		Line 1:
	A number of security flaws in the software [[John Deere]] provided could have allowed hackers to find and download the personal data of all owners of the company’s farming vehicles and equipment. John Deere downplayed the impact while simultaneously increasing their security practices, as security jobs opened and they started to partner up with security researchers.		A number of security flaws in the software [[John Deere\|'''John Deere''']] provided could have allowed hackers to find and download the personal data of all owners of the company’s farming vehicles and equipment. John Deere downplayed the impact while simultaneously increasing their security practices, as security jobs opened and they started to partner up with security researchers.

	==Security flaws and the reporting process==		==Security flaws and the reporting process==

Kostas: add ids to deduplicate refs

2025-03-18T08:10:24Z

add ids to deduplicate refs

← Older revision		Revision as of 08:10, 18 March 2025
Line 4:		Line 4:
	A security researcher with the alias Sick Codes found severe vulnerabilities in John Deere's software.<ref name=":0">{{Cite web\|url=https://www.vice.com/en/article/bugs-allowed-hackers-to-dox-all-john-deere-owners/\|publisher=Vice Media\|title=Bugs Allowed Hackers to Dox John Deere Tractor Owners\|author=Lorenzo Franceschi-Bicchierai\|date=22 April 2021\|language=en\|format=article}}</ref> Although John Deere confirmed the existence of the vulnerabilities, they downplayed their impact by stating it was remediated and it did not give "access to customer accounts, dealer accounts, or sensitive personal information."<ref name=":0" /> This was not true according to the security researcher, because on newer farm equipment, the vehicle or equipment owner’s name, their physical address, the equipment’s unique ID, and its Vehicle Identification Number can be seen.<ref name=":0" />		A security researcher with the alias Sick Codes found severe vulnerabilities in John Deere's software.<ref name=":0">{{Cite web\|url=https://www.vice.com/en/article/bugs-allowed-hackers-to-dox-all-john-deere-owners/\|publisher=Vice Media\|title=Bugs Allowed Hackers to Dox John Deere Tractor Owners\|author=Lorenzo Franceschi-Bicchierai\|date=22 April 2021\|language=en\|format=article}}</ref> Although John Deere confirmed the existence of the vulnerabilities, they downplayed their impact by stating it was remediated and it did not give "access to customer accounts, dealer accounts, or sensitive personal information."<ref name=":0" /> This was not true according to the security researcher, because on newer farm equipment, the vehicle or equipment owner’s name, their physical address, the equipment’s unique ID, and its Vehicle Identification Number can be seen.<ref name=":0" />

	Besides the security flaws, another major part of the controversy was about the way John Deere handled the reporting of security flaws. The researcher claimed it was researched with a developer account, and the current terms and conditions<ref>{{Cite web\|url=https://www.deere.com/en/forms/corporate/it-security-consulting/\|archive-url=https://web.archive.org/web/20210424021348/https://www.deere.com/en/forms/corporate/it-security-consulting/\|archive-date=24 Apr 2021\|url-status=dead\|title=Global Security Request form with terms on personal data and privacy\|publisher=John Deere\|language=en}}</ref> for disclosing were followed, but were removed after the incident, among other issues like the previously mentioned downplaying of the impact.<ref name=":1">{{Cite web\|title=John Deere security flaw exposed address of every customer & more!\|url=https://www.youtube.com/watch?v=hqablgjQ02g\|publisher=YouTube\|~~author~~=~~Louis Rossmann\|date=22 Apr 2021~~\|format=video\|~~language~~=en}}</ref>		Besides the security flaws, another major part of the controversy was about the way John Deere handled the reporting of security flaws. The researcher claimed it was researched with a developer account, and the current terms and conditions<ref>{{Cite web\|url=https://www.deere.com/en/forms/corporate/it-security-consulting/\|archive-url=https://web.archive.org/web/20210424021348/https://www.deere.com/en/forms/corporate/it-security-consulting/\|archive-date=24 Apr 2021\|url-status=dead\|title=Global Security Request form with terms on personal data and privacy\|publisher=John Deere\|language=en}}</ref> for disclosing were followed, but were removed after the incident, among other issues like the previously mentioned downplaying of the impact.<ref name=":1">{{Cite web \|author=Louis Rossmann \|date=22 Apr 2021 \|title=John Deere security flaw exposed address of every customer & more! \|url=https://www.youtube.com/watch?v=hqablgjQ02g \|publisher=YouTube \|language=en \|format=video \|ref=Rossmann-video-1}}</ref>

	===John Deere's response===		===John Deere's response===
	In the immediate aftermath of the incident, John Deere posted a spate of job openings for embedded cyber security engineers to “drive embedded software cybersecurity requirements and security features development” as well as “develop threat models using industry best practices.<ref>{{Cite web\|url=https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/\|publisher=Forbes\|title=184 Years In: Ag Giant John Deere Awaits Its First Software Vulnerability\|author=Paul F. Roberts\|date=14 Apr 2021\|format=article}}</ref> Also, soon after the incident, John Deere wrote, "This week's forecast: one to three inches of nonsense", which can be interpreted as denying that the recent security flaws were severe.<ref name=":2">{{Cite web\|title=John Deere instigates hackers, gets hacked again\|url=https://www.youtube.com/watch?v=rB_SleNKBus~~\|date=25 Apr 2021~~\|publisher=YouTube~~\|author=Louis Rossmann~~\|language=en\|format=video}}</ref> John Deere addressed it by stating "We investigated immediately, and the misconfigurations were fixed right away. The important take away here is that our customers' sensitive personal or business information, including financial and agronomic data, was never accessed, which is a point that didn’t come through in the article."<ref>{{Cite web\|url=https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world\|title=John Deere Addresses the Ongoing Risks of Living in a Digital World\|author=Laurie Bedord\|date=23 Apr 2021\|language=en\|format=article\|publisher=Successful Farming}}</ref> However, their claims seem to be not true, because the researcher claims they could access the data.<ref name=":0" /><ref name=":1" /><ref name=":2" />		In the immediate aftermath of the incident, John Deere posted a spate of job openings for embedded cyber security engineers to “drive embedded software cybersecurity requirements and security features development” as well as “develop threat models using industry best practices.<ref>{{Cite web\|url=https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/\|publisher=Forbes\|title=184 Years In: Ag Giant John Deere Awaits Its First Software Vulnerability\|author=Paul F. Roberts\|date=14 Apr 2021\|format=article}}</ref> Also, soon after the incident, John Deere wrote, "This week's forecast: one to three inches of nonsense", which can be interpreted as denying that the recent security flaws were severe.<ref name=":2">{{Cite web \|author=Louis Rossmann \|date=25 Apr 2021 \|title=John Deere instigates hackers, gets hacked again \|url=https://www.youtube.com/watch?v=rB_SleNKBus \|publisher=YouTube \|language=en \|format=video \|ref=Rossmann-video-2}}</ref> John Deere addressed it by stating "We investigated immediately, and the misconfigurations were fixed right away. The important take away here is that our customers' sensitive personal or business information, including financial and agronomic data, was never accessed, which is a point that didn’t come through in the article."<ref>{{Cite web\|url=https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world\|title=John Deere Addresses the Ongoing Risks of Living in a Digital World\|author=Laurie Bedord\|date=23 Apr 2021\|language=en\|format=article\|publisher=Successful Farming}}</ref> However, their claims seem to be not true, because the researcher claims they could access the data.<ref name=":0" /><ref name=":1" /><ref name=":2" />

	Quite a bit later in 2024, John Deere has also partnered up with HackerOne to enhance collaborative relationships with security researchers.<ref>{{Cite web\|url=https://www.deere.com/en/our-company/digital-security/hackerone-program/\|format=press release\|publisher=John Deere\|title=Deere Bolsters Information Security With HackerOne Program}}</ref>		Quite a bit later in 2024, John Deere has also partnered up with HackerOne to enhance collaborative relationships with security researchers.<ref>{{Cite web\|url=https://www.deere.com/en/our-company/digital-security/hackerone-program/\|format=press release\|publisher=John Deere\|title=Deere Bolsters Information Security With HackerOne Program}}</ref>

InTransparencyWeTrust: improve references with additional information

2025-02-25T14:16:25Z

improve references with additional information

← Older revision		Revision as of 14:16, 25 February 2025
Line 1:		Line 1:
	A number of security flaws in the software [[John Deere]] provided could have allowed hackers to find and download the personal data of all owners of the company’s farming vehicles and equipment. John Deere downplayed the impact while simultaneously increasing their security practices, as security jobs opened and they started to partner up with security researchers.		A number of security flaws in the software [[John Deere]] provided could have allowed hackers to find and download the personal data of all owners of the company’s farming vehicles and equipment. John Deere downplayed the impact while simultaneously increasing their security practices, as security jobs opened and they started to partner up with security researchers.

	== Security flaws and the reporting process ==		==Security flaws and the reporting process==
	A security researcher with the alias Sick Codes found severe vulnerabilities in John Deere's software.<ref name=":0">https://www.vice.com/en/article/bugs-allowed-hackers-to-dox-all-john-deere-owners/</ref> Although John Deere confirmed the existence of the vulnerabilities, they downplayed their impact by stating it was remediated and it did not give "access to customer accounts, dealer accounts, or sensitive personal information."<ref name=":0" /> This was not true according to the security researcher, because on newer farm equipment, the vehicle or equipment owner’s name, their physical address, the equipment’s unique ID, and its Vehicle Identification Number can be seen.<ref name=":0" />		A security researcher with the alias Sick Codes found severe vulnerabilities in John Deere's software.<ref name=":0">{{Cite web\|url=https://www.vice.com/en/article/bugs-allowed-hackers-to-dox-all-john-deere-owners/\|publisher=Vice Media\|title=Bugs Allowed Hackers to Dox John Deere Tractor Owners\|author=Lorenzo Franceschi-Bicchierai\|date=22 April 2021\|language=en\|format=article}}</ref> Although John Deere confirmed the existence of the vulnerabilities, they downplayed their impact by stating it was remediated and it did not give "access to customer accounts, dealer accounts, or sensitive personal information."<ref name=":0" /> This was not true according to the security researcher, because on newer farm equipment, the vehicle or equipment owner’s name, their physical address, the equipment’s unique ID, and its Vehicle Identification Number can be seen.<ref name=":0" />

	Besides the security flaws, another major part of the controversy was about the way John Deere handled the reporting of security flaws. The researcher claimed it was researched with a developer account, and the current terms and conditions<ref>https://web.archive.org/web/20210424021348/https://www.deere.com/en/forms/corporate/it-security-consulting/</ref> for disclosing were followed, but were removed after the incident, among other issues like the previously mentioned downplaying of the impact.<ref name=":1">~~[[Louis Rossmann - Video Directory]]: [~~https://www.youtube.com/watch?v=hqablgjQ02g ~~John Deere security flaw exposed address of every customer & more!]~~</ref>		Besides the security flaws, another major part of the controversy was about the way John Deere handled the reporting of security flaws. The researcher claimed it was researched with a developer account, and the current terms and conditions<ref>{{Cite web\|url=https://www.deere.com/en/forms/corporate/it-security-consulting/\|archive-url=https://web.archive.org/web/20210424021348/https://www.deere.com/en/forms/corporate/it-security-consulting/\|archive-date=24 Apr 2021\|url-status=dead\|title=Global Security Request form with terms on personal data and privacy\|publisher=John Deere\|language=en}}</ref> for disclosing were followed, but were removed after the incident, among other issues like the previously mentioned downplaying of the impact.<ref name=":1">{{Cite web\|title=John Deere security flaw exposed address of every customer & more!\|url=https://www.youtube.com/watch?v=hqablgjQ02g\|publisher=YouTube\|author=Louis Rossmann\|date=22 Apr 2021\|format=video\|language=en}}</ref>

	=== John Deere's response ===		===John Deere's response===
	In the immediate aftermath of the incident, John Deere posted a spate of job openings for embedded cyber security engineers to “drive embedded software cybersecurity requirements and security features development” as well as “develop threat models using industry best practices.<ref>https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/</ref> Also, soon after the incident, John Deere wrote, "This week's forecast: one to three inches of nonsense", which can be interpreted as denying that the recent security flaws were severe.<ref name=":2">~~[[Louis Rossmann - Video Directory]]: [~~https://www.youtube.com/watch?v=rB_SleNKBus ~~John Deere instigates hackers, gets hacked again]~~</ref> John Deere addressed it by stating "We investigated immediately, and the misconfigurations were fixed right away. The important take away here is that our customers' sensitive personal or business information, including financial and agronomic data, was never accessed, which is a point that didn’t come through in the article."<ref>https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world</ref> However, their claims seem to be not true, because the researcher claims they could access the data.<ref name=":0" /><ref name=":1" /><ref name=":2" />		In the immediate aftermath of the incident, John Deere posted a spate of job openings for embedded cyber security engineers to “drive embedded software cybersecurity requirements and security features development” as well as “develop threat models using industry best practices.<ref>{{Cite web\|url=https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/\|publisher=Forbes\|title=184 Years In: Ag Giant John Deere Awaits Its First Software Vulnerability\|author=Paul F. Roberts\|date=14 Apr 2021\|format=article}}</ref> Also, soon after the incident, John Deere wrote, "This week's forecast: one to three inches of nonsense", which can be interpreted as denying that the recent security flaws were severe.<ref name=":2">{{Cite web\|title=John Deere instigates hackers, gets hacked again\|url=https://www.youtube.com/watch?v=rB_SleNKBus\|date=25 Apr 2021\|publisher=YouTube\|author=Louis Rossmann\|language=en\|format=video}}</ref> John Deere addressed it by stating "We investigated immediately, and the misconfigurations were fixed right away. The important take away here is that our customers' sensitive personal or business information, including financial and agronomic data, was never accessed, which is a point that didn’t come through in the article."<ref>{{Cite web\|url=https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world\|title=John Deere Addresses the Ongoing Risks of Living in a Digital World\|author=Laurie Bedord\|date=23 Apr 2021\|language=en\|format=article\|publisher=Successful Farming}}</ref> However, their claims seem to be not true, because the researcher claims they could access the data.<ref name=":0" /><ref name=":1" /><ref name=":2" />

	Quite a bit later in 2024, John Deere has also partnered up with HackerOne~~<ref>https://www.hackerone.com/</ref>~~ to enhance collaborative relationships with security researchers.<ref>https://www.deere.com/en/our-company/digital-security/hackerone-program/</ref>		Quite a bit later in 2024, John Deere has also partnered up with HackerOne to enhance collaborative relationships with security researchers.<ref>{{Cite web\|url=https://www.deere.com/en/our-company/digital-security/hackerone-program/\|format=press release\|publisher=John Deere\|title=Deere Bolsters Information Security With HackerOne Program}}</ref>

	==References==		==References==

InTransparencyWeTrust: Create the introduction and section the rest of the article content

2025-02-25T14:01:03Z

Create the introduction and section the rest of the article content

← Older revision		Revision as of 14:01, 25 February 2025
Line 1:		Line 1:
	A number of security flaws in the software [[John Deere]] provided could have allowed hackers to find and download the personal data of all owners of the company’s farming vehicles and equipment, ~~according~~ to security researcher Sick Codes~~, who~~ found ~~the~~ vulnerabilities.<ref name=":0">https://www.vice.com/en/article/bugs-allowed-hackers-to-dox-all-john-deere-owners/</ref> Although John Deere confirmed the existence of the vulnerabilities, they downplayed their impact by stating it was remediated and it did not give "access to customer accounts, dealer accounts, or sensitive personal information."<ref name=":0" /> This was not true according to the security researcher, because on newer farm equipment, the vehicle or equipment owner’s name, their physical address, the equipment’s unique ID, and its Vehicle Identification Number can be seen.<ref name=":0" />		A number of security flaws in the software [[John Deere]] provided could have allowed hackers to find and download the personal data of all owners of the company’s farming vehicles and equipment. John Deere downplayed the impact while simultaneously increasing their security practices, as security jobs opened and they started to partner up with security researchers.

			== Security flaws and the reporting process ==
			A security researcher with the alias Sick Codes found severe vulnerabilities in John Deere's software.<ref name=":0">https://www.vice.com/en/article/bugs-allowed-hackers-to-dox-all-john-deere-owners/</ref> Although John Deere confirmed the existence of the vulnerabilities, they downplayed their impact by stating it was remediated and it did not give "access to customer accounts, dealer accounts, or sensitive personal information."<ref name=":0" /> This was not true according to the security researcher, because on newer farm equipment, the vehicle or equipment owner’s name, their physical address, the equipment’s unique ID, and its Vehicle Identification Number can be seen.<ref name=":0" />

	Besides the security flaws, another major part of the controversy was about the way John Deere handled the reporting of security flaws. The researcher claimed it was researched with a developer account, and the current terms and conditions<ref>https://web.archive.org/web/20210424021348/https://www.deere.com/en/forms/corporate/it-security-consulting/</ref> for disclosing were followed, but were removed after the incident, among other issues like the previously mentioned downplaying of the impact.<ref name=":1">[[Louis Rossmann - Video Directory]]: [https://www.youtube.com/watch?v=hqablgjQ02g John Deere security flaw exposed address of every customer & more!]</ref>		Besides the security flaws, another major part of the controversy was about the way John Deere handled the reporting of security flaws. The researcher claimed it was researched with a developer account, and the current terms and conditions<ref>https://web.archive.org/web/20210424021348/https://www.deere.com/en/forms/corporate/it-security-consulting/</ref> for disclosing were followed, but were removed after the incident, among other issues like the previously mentioned downplaying of the impact.<ref name=":1">[[Louis Rossmann - Video Directory]]: [https://www.youtube.com/watch?v=hqablgjQ02g John Deere security flaw exposed address of every customer & more!]</ref>

			=== John Deere's response ===
	In the immediate aftermath of the incident, John Deere posted a spate of job openings for embedded cyber security engineers to “drive embedded software cybersecurity requirements and security features development” as well as “develop threat models using industry best practices.<ref>https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/</ref> Also, soon after the incident, John Deere wrote, "This week's forecast: one to three inches of nonsense", which can be interpreted as denying that the recent security flaws were severe.<ref name=":2">[[Louis Rossmann - Video Directory]]: [https://www.youtube.com/watch?v=rB_SleNKBus John Deere instigates hackers, gets hacked again]</ref> John Deere addressed it by stating "We investigated immediately, and the misconfigurations were fixed right away. The important take away here is that our customers' sensitive personal or business information, including financial and agronomic data, was never accessed, which is a point that didn’t come through in the article."<ref>https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world</ref> However, their claims seem to be not true, because the researcher claims they could access the data.<ref name=":0" /><ref name=":1" /><ref name=":2" />		In the immediate aftermath of the incident, John Deere posted a spate of job openings for embedded cyber security engineers to “drive embedded software cybersecurity requirements and security features development” as well as “develop threat models using industry best practices.<ref>https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/</ref> Also, soon after the incident, John Deere wrote, "This week's forecast: one to three inches of nonsense", which can be interpreted as denying that the recent security flaws were severe.<ref name=":2">[[Louis Rossmann - Video Directory]]: [https://www.youtube.com/watch?v=rB_SleNKBus John Deere instigates hackers, gets hacked again]</ref> John Deere addressed it by stating "We investigated immediately, and the misconfigurations were fixed right away. The important take away here is that our customers' sensitive personal or business information, including financial and agronomic data, was never accessed, which is a point that didn’t come through in the article."<ref>https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world</ref> However, their claims seem to be not true, because the researcher claims they could access the data.<ref name=":0" /><ref name=":1" /><ref name=":2" />

InTransparencyWeTrust: remove unneeded category

2025-02-22T15:10:20Z

remove unneeded category

← Older revision		Revision as of 15:10, 22 February 2025
Line 11:		Line 11:
	[[Category:John Deere]]		[[Category:John Deere]]
	[[Category:Incidents]]		[[Category:Incidents]]
	~~[[Category:Louis Rossmann]]~~
	[[Category:Articles based on videos]]		[[Category:Articles based on videos]]

← Older revision		Revision as of 08:10, 18 March 2025
Line 4:		Line 4:
	A security researcher with the alias Sick Codes found severe vulnerabilities in John Deere's software.<ref name=":0">{{Cite web\|url=https://www.vice.com/en/article/bugs-allowed-hackers-to-dox-all-john-deere-owners/\|publisher=Vice Media\|title=Bugs Allowed Hackers to Dox John Deere Tractor Owners\|author=Lorenzo Franceschi-Bicchierai\|date=22 April 2021\|language=en\|format=article}}</ref> Although John Deere confirmed the existence of the vulnerabilities, they downplayed their impact by stating it was remediated and it did not give "access to customer accounts, dealer accounts, or sensitive personal information."<ref name=":0" /> This was not true according to the security researcher, because on newer farm equipment, the vehicle or equipment owner’s name, their physical address, the equipment’s unique ID, and its Vehicle Identification Number can be seen.<ref name=":0" />		A security researcher with the alias Sick Codes found severe vulnerabilities in John Deere's software.<ref name=":0">{{Cite web\|url=https://www.vice.com/en/article/bugs-allowed-hackers-to-dox-all-john-deere-owners/\|publisher=Vice Media\|title=Bugs Allowed Hackers to Dox John Deere Tractor Owners\|author=Lorenzo Franceschi-Bicchierai\|date=22 April 2021\|language=en\|format=article}}</ref> Although John Deere confirmed the existence of the vulnerabilities, they downplayed their impact by stating it was remediated and it did not give "access to customer accounts, dealer accounts, or sensitive personal information."<ref name=":0" /> This was not true according to the security researcher, because on newer farm equipment, the vehicle or equipment owner’s name, their physical address, the equipment’s unique ID, and its Vehicle Identification Number can be seen.<ref name=":0" />

	Besides the security flaws, another major part of the controversy was about the way John Deere handled the reporting of security flaws. The researcher claimed it was researched with a developer account, and the current terms and conditions<ref>{{Cite web\|url=https://www.deere.com/en/forms/corporate/it-security-consulting/\|archive-url=https://web.archive.org/web/20210424021348/https://www.deere.com/en/forms/corporate/it-security-consulting/\|archive-date=24 Apr 2021\|url-status=dead\|title=Global Security Request form with terms on personal data and privacy\|publisher=John Deere\|language=en}}</ref> for disclosing were followed, but were removed after the incident, among other issues like the previously mentioned downplaying of the impact.<ref name=":1">{{Cite web\|title=John Deere security flaw exposed address of every customer & more!\|url=https://www.youtube.com/watch?v=hqablgjQ02g\|publisher=YouTube\|~~author~~=~~Louis Rossmann\|date=22 Apr 2021~~\|format=video\|~~language~~=en}}</ref>		Besides the security flaws, another major part of the controversy was about the way John Deere handled the reporting of security flaws. The researcher claimed it was researched with a developer account, and the current terms and conditions<ref>{{Cite web\|url=https://www.deere.com/en/forms/corporate/it-security-consulting/\|archive-url=https://web.archive.org/web/20210424021348/https://www.deere.com/en/forms/corporate/it-security-consulting/\|archive-date=24 Apr 2021\|url-status=dead\|title=Global Security Request form with terms on personal data and privacy\|publisher=John Deere\|language=en}}</ref> for disclosing were followed, but were removed after the incident, among other issues like the previously mentioned downplaying of the impact.<ref name=":1">{{Cite web \|author=Louis Rossmann \|date=22 Apr 2021 \|title=John Deere security flaw exposed address of every customer & more! \|url=https://www.youtube.com/watch?v=hqablgjQ02g \|publisher=YouTube \|language=en \|format=video \|ref=Rossmann-video-1}}</ref>

	===John Deere's response===		===John Deere's response===
	In the immediate aftermath of the incident, John Deere posted a spate of job openings for embedded cyber security engineers to “drive embedded software cybersecurity requirements and security features development” as well as “develop threat models using industry best practices.<ref>{{Cite web\|url=https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/\|publisher=Forbes\|title=184 Years In: Ag Giant John Deere Awaits Its First Software Vulnerability\|author=Paul F. Roberts\|date=14 Apr 2021\|format=article}}</ref> Also, soon after the incident, John Deere wrote, "This week's forecast: one to three inches of nonsense", which can be interpreted as denying that the recent security flaws were severe.<ref name=":2">{{Cite web\|title=John Deere instigates hackers, gets hacked again\|url=https://www.youtube.com/watch?v=rB_SleNKBus~~\|date=25 Apr 2021~~\|publisher=YouTube~~\|author=Louis Rossmann~~\|language=en\|format=video}}</ref> John Deere addressed it by stating "We investigated immediately, and the misconfigurations were fixed right away. The important take away here is that our customers' sensitive personal or business information, including financial and agronomic data, was never accessed, which is a point that didn’t come through in the article."<ref>{{Cite web\|url=https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world\|title=John Deere Addresses the Ongoing Risks of Living in a Digital World\|author=Laurie Bedord\|date=23 Apr 2021\|language=en\|format=article\|publisher=Successful Farming}}</ref> However, their claims seem to be not true, because the researcher claims they could access the data.<ref name=":0" /><ref name=":1" /><ref name=":2" />		In the immediate aftermath of the incident, John Deere posted a spate of job openings for embedded cyber security engineers to “drive embedded software cybersecurity requirements and security features development” as well as “develop threat models using industry best practices.<ref>{{Cite web\|url=https://www.forbes.com/sites/paulfroberts/2021/04/14/184-years-in-ag-giant-john-deere-awaits-its-first-software-vulnerability/\|publisher=Forbes\|title=184 Years In: Ag Giant John Deere Awaits Its First Software Vulnerability\|author=Paul F. Roberts\|date=14 Apr 2021\|format=article}}</ref> Also, soon after the incident, John Deere wrote, "This week's forecast: one to three inches of nonsense", which can be interpreted as denying that the recent security flaws were severe.<ref name=":2">{{Cite web \|author=Louis Rossmann \|date=25 Apr 2021 \|title=John Deere instigates hackers, gets hacked again \|url=https://www.youtube.com/watch?v=rB_SleNKBus \|publisher=YouTube \|language=en \|format=video \|ref=Rossmann-video-2}}</ref> John Deere addressed it by stating "We investigated immediately, and the misconfigurations were fixed right away. The important take away here is that our customers' sensitive personal or business information, including financial and agronomic data, was never accessed, which is a point that didn’t come through in the article."<ref>{{Cite web\|url=https://www.agriculture.com/news/technology/john-deere-addresses-the-risks-of-living-in-a-digital-world\|title=John Deere Addresses the Ongoing Risks of Living in a Digital World\|author=Laurie Bedord\|date=23 Apr 2021\|language=en\|format=article\|publisher=Successful Farming}}</ref> However, their claims seem to be not true, because the researcher claims they could access the data.<ref name=":0" /><ref name=":1" /><ref name=":2" />

	Quite a bit later in 2024, John Deere has also partnered up with HackerOne to enhance collaborative relationships with security researchers.<ref>{{Cite web\|url=https://www.deere.com/en/our-company/digital-security/hackerone-program/\|format=press release\|publisher=John Deere\|title=Deere Bolsters Information Security With HackerOne Program}}</ref>		Quite a bit later in 2024, John Deere has also partnered up with HackerOne to enhance collaborative relationships with security researchers.<ref>{{Cite web\|url=https://www.deere.com/en/our-company/digital-security/hackerone-program/\|format=press release\|publisher=John Deere\|title=Deere Bolsters Information Security With HackerOne Program}}</ref>