Smartbulbs and Tractors and NFTvs...Oh My! The Worst of CES
Surveillance bulbs? Autonomous tractors? NFTVs? We looked at some of this year’s head scratchers and face-palms from the CES show.
I recently had the honor of participating in the second annual “Worst in Show” event for CES 2022, the Consumer Electronics Show. My choice: John Deere’s announcement of a fully autonomous 8R tractor.
Cybersecurity is tough as products are not available to test drive, pen test or otherwise assess. That’s one reason that cybersecurity is kind of the Madwoman in the Attic at any CES: a haunting presence everyone knows is there, lurking in the background but that nobody wants to talk about.
What I can talk about however is what we know about John Deere’s security practices, which is that there are a lot of red flags in the software and services the company has deployed, while the security of its hardware remains a black box: hidden from researchers and the larger information security community.
A spotty record on security
In 2021, for example, a hacker using the handle “Sick Codes” published two advisories on warning about the flaws in the myjohndeere.com web site and the John Deere Operations Center web site and mobile applications.
In a conversation with this reporter at the time, Sick Codes said that a he was able to use VINs (vehicle identification numbers) taken from a farm equipment auction site to identify the name and physical address of the owner. Furthermore, a flaw in the myjohndeere.com website could allow an unauthenticated user to carry out automated attacks against the site, possibly revealing all the user accounts for that site.
Sick Codes disclosed both flaws to John Deere and also to the U.S. Government’s Cybersecurity and Infrastructure Security Agency (CISA), which monitors food and agriculture as a critical infrastructure sector. The flaws in John Deere were part of a spate of flaws in software by major agricultural equipment makers, which have raised concerns about the security of the food supply chain.
The security issue here is clear: when you have an equipment vendor making multi-ton, robotic devices that are remotely controllable via software, the possibility of cyber physical attacks - those could injure farm workers who labor in close proximity to these devices. More importantly, they could be used to cripple the equipment itself and - with it - U.S. food production.
Security flaws are inevitable. When you make sophisticated equipment and services to support that equipment like Deere does, you’re going to make mistakes and create a lot of security holes in the process. Sometimes the problems aren’t even of your doing, like Log4j, the ubiquitous open source library that was found to contain a remote code execution flaw. (And which Deere said it may be vulnerable to, btw.)
The question isn’t “do you have security vulnerabilities.” The question is: “how does your organization respond to them?” And it is for this reason that Deere won my vote for security worst in show.
Rather than respond in a transparent manner to the reports by Sick Codes, the company has engaged in an epic bout of “Security Washing.” That’s when a company goes through the motions of mounting a security response, but with no real organizational or operational change. Deere, for example, launched a bug bounty program with HackerOne. Their CISO started giving interviews touting the company’s commitment to security, etc. etc.
That’s great. But when you dig into the details of it, the substance of Deere’s response falls short. That bug bounty program, for example, excludes any vulnerabilities related to Deere equipment, which is “out of scope.” And even for what is “in scope” (web sites, software), it hasn’t led to any public disclosures of flaws. It’s also pretty sleepy. Of the 106 bug reports received in the last 90 days, Deere has only resolved 41 of them. And Deere, a $116 billion company, is rewarding those researchers who report flaws with swag - hats and t-shirts. That’s great, but hardly a major industrial equipment maker “putting its money where its mouth is.”
Autonomous and Mysterious
The function of the bounty program was not to open its doors to the best minds in the security world to assess Deere’s security. Rather, its main purpose appears to have been to rope researchers - starting with Sick Codes - into onerous NDAs that prevent any disclosure of security flaws in the company’s software.
At the end of the day, it matters to all of us whether the multi-ton machinery with the robotic arms and the always on internet connection is secure. It matters to the people working alongside autonomous equipment on farms and in the fields, and it matters to all of us downstream consumers of..umm...food. Unfortunately, we’re going to need more than Deere’s good word on whether or not its gear is secure. Before you get autonomous, in other words, it would be good if you became less mysterious, John Deere.
Fails on Privacy, Environment and more
Of course, cybersecurity is only one category for the Worst In Show at CES. Check out the whole Worst In Show presentation, which addresses CES fails on privacy and the environment, as well as the community choice award for “worst in show!”
Privacy: Sengled Smart Health Monitoring Lightbulb - Cindy Cohn, Electronic Frontier Foundation
Environmental Impact: Samsung NFT Aggregation Platform - Nathan Proctor, US Public Interest Research Group
Community Choice: John Deere Autonomous 8R Tractor - Gay Gordon Byrne, Repair.org
Overall: Lenovo Smart Clock Essential - Cory Doctorow, Special Advisor, Electronic Frontier Foundation