Blurryeyed wrote:
Worse, John Deere seems to have no clue as to how bad it is at security. In the company’s entire history it has never once submitted a single bug to the US government’s Common Vulnerabilities and Exposures (CVE) database. As far as Deere knows, its security is literally perfect.
John Deere is wildly imperfect.
That means that the tool that Deere used to brick all those stolen tractors in Chechnya is potentially available to even moderately skilled hackers who exploit Deere’s reckless decision to build kill-switches into its equipment and its negligent security.
Kill-switches and VIN locks go hand in hand — but they’re also comorbid with security incompetence. Remember Medtronic? Its implanted medical devices (whose owners can only switch vendors with a scalpel and general anesthesia) are incredibly, terrifyingly insecure, and Medtronic, like Deere, insists nothing is wrong. That’s why a couple of security researchers had to build and demonstrate “a universal remote for killing people” with hacks of their implants, before that Medtronic would institute a voluntary recall of just one of its products.
You know who understands how dangerous John Deere’s kill-switching and VIN locking is? Ukrainian farmers. Ukraine is a major exporter of illegal alternative firmware that replaces Deere’s software with independently produced, farmer-friendly code (ironically, if the Russians who stole those Deere tractors manage to un-brick them, it will likely be with this software).
That farmers working in a low-income, high-risk, high-instability nation would create firmware to liberate themselves from the rent-seeking of a multinational monopolist and the risks its remote-control software created is no surprise.
High-risk/high-instability is now endemic to the world, not just Ukraine. The kill-switches that gave those Russian looters their comeuppance are lurking in every Deere tractor, everywhere. As Cathy Gellis wrote for Techdirt:
The reality is that if you’ve made it so that a tractor owner can’t use their own equipment, you might be a looter. But you also might be John Deere. The only difference is that the looter’s behavior is more clearly lawless, whereas John Deere’s is currently backed up by law. But the effect is just as wrong.
We should be building tractors — and phones, and cars, and ventilators, and medical implants — that are robust and resilient, maintainable and repairable even when supply chains break. There are risks to this — a device without a kill-switch is a little more attractive to thieves. But kill-switches impose risks that vastly outstrip the risks they offset.
In an increasingly risky world, that’s not something we should be cheering on.
Worse, John Deere seems to have no clue as to how ... (
show quote)
The key to this story is that now John Deere has pissed off the Russians and eventually this will result in payback from some Russian hackers!