CRW

Home Wiki

John Deere security flaws exposed sensitive customer information

View on consumerrights.wiki ↗

Contents3
  1. Security flaws and the reporting process
  2. John Deere's response
  3. References

In 2021, a number of security flaws in the software John Deere provided could have allowed hackers to find and download the personal data of all owners of the company’s farming vehicles and equipment. John Deere downplayed the impact while simultaneously increasing their security practices, as security jobs opened and they started to partner with security researchers.

Security flaws and the reporting process

A security researcher with the alias Sick Codes found severe vulnerabilities in John Deere's software.[1] Although the company confirmed the existence of the vulnerabilities, they downplayed their impact by stating it was remediated and it did not give "access to customer accounts, dealer accounts, or sensitive personal information."[1] This was not true according to the security researcher, because on newer farm equipment, the vehicle or equipment owner’s name, their physical address, the equipment’s unique ID, and its Vehicle Identification Number can be seen.[1]

Besides the security flaws, another major part of the controversy was about how John Deere handled the reporting of security flaws. The researcher claimed the flaws were found using a developer account and the terms and conditions[2] for disclosing vulnerabilities were followed, but were removed after the incident.[3]

John Deere's response

In the immediate aftermath of the incident, John Deere posted a spate of job openings for embedded cyber security engineers to “drive embedded software cybersecurity requirements and security features development” as well as “develop threat models using industry best practices.[4] The company also wrote, "This week's forecast: one to three inches of nonsense", which can be interpreted as denying that the recent security flaws were severe.[5] John Deere addressed it by stating "We investigated immediately, and the misconfigurations were fixed right away. The important take away here is that our customers' sensitive personal or business information, including financial and agronomic data, was never accessed, which is a point that didn’t come through in the article."[6] However, their claims seem to be not true, because the researcher claims they could access the data.[1][3][5] Later in 2024, John Deere also partnered with HackerOne to enhance collaborative relationships with security researchers.[7]

References

  1. 1.0 1.1 1.2 1.3 Lorenzo Franceschi-Bicchierai (22 April 2021). "Bugs Allowed Hackers to Dox John Deere Tractor Owners". Vice Media. Archived from the original (article) on 19 Dec 2025.
  2. "Global Security Request form with terms on personal data and privacy". John Deere. Archived from the original on 24 Apr 2021.
  3. 3.0 3.1 Louis Rossmann (22 Apr 2021). "John Deere security flaw exposed address of every customer & more!". YouTube. Archived from the original (video) on 23 Feb 2026.
  4. Paul F. Roberts (14 Apr 2021). "184 Years In: Ag Giant John Deere Awaits Its First Software Vulnerability". Forbes. Archived from the original (article) on 23 Jul 2025.
  5. 5.0 5.1 Louis Rossmann (25 Apr 2021). "John Deere instigates hackers, gets hacked again". YouTube. Archived from the original (video) on 23 Feb 2026.
  6. Bedord, Laurie (23 Apr 2021). "John Deere Addresses the Ongoing Risks of Living in a Digital World" (article). Successful Farming. Archived from the original on 26 Apr 2021.
  7. "Deere Bolsters Information Security With HackerOne Program". John Deere. Archived from the original (press release) on 8 Jul 2025.
Filed under