At 2021's DefCon event, cybersecurity researcher Sick Codes and his team brought to light what he deemed a "tractor load of vulnerabilities" in John Deere's autonomous agriculture systems.

The vulnerabilities the group discovered allowed them "to upload files to any user, log in as any user, destroy any farm, run any farm off the road, upload whatever we want, download whatever we want, destroy any data, log in to any third party accounts," he said during the presentation. "We could literally do whatever the heck we wanted with anything we wanted on the John Deere Operation Center. Period. And that's when we stopped because we pretty much had rope on the whole organization."

Sick Codes stressed the importance of identifying vulnerabilities and fixing them to prevent, for example, over spraying fields with chemicals. Deere at the time denied that the vulnerabilities identified by Sick Codes had enabled any unauthorized access to data, accounts, or personal information.

Sick Codes continued the investigation into the security of the company's autonomous farming machines at DefCon 2022 in August by hacking into two different models of Deere's autonomous tractors to play the video game Doom on its in-cab screens.

Critics and Deere alike have noted there's a certain depth of responsibility it carries, especially as the self-proclaimed tech company works to connect its agriculture machines using terrestrial cellular networks and satellite connectivity. "We are deeply committed and work tirelessly to safeguard our customers, and the role they play in the global food supply chain," Deere said in a statement.

"We take cybersecurity very serious[ly]," Julian Sanchez, director of emerging technology for John Deere, told SDxCentral during an interview onsite at Deere's test farm in Des Moines, Iowa, in late September.

He explained that to prevent unwanted access to the Deere Operation Center – which is the platform farmers use to monitor and manage their autonomous equipment – "We're constantly testing all of those scenarios. We're constantly evaluating all of those corner cases that could come about," Sanchez said.

Deere's internal security team includes more than 300 product and information security professionals, and the company says it embraces the broader ethical hacker community as part of its security strategy.

In terms of Deere's tech stack, the operations center is part of the cloud layer. Sanchez noted that as you go down the stack, the security deepens. "Obviously, the closer you get to the machine, the more protection there is and the more locked-down that those modules are," he said, referencing the embedded software within each machine.

"Depending on which level of the tech stack we're talking about, we're looking at different control measures and different security measures to make sure that those different software modules are protected accordingly," Sanchez said.

Deere told SDxCentral in a statement that Sick Codes' August DefCon presentation hinged on capabilities that were "obtained through invasive/persistent physical access, disassembly of a hardware product, and reverse engineering of proprietary software. At no point [was] a customer or dealer’s equipment, networks, or data at risk."

As far as the data Deere collects, "we work with the best of the best to make sure those data are protected," Sanchez noted, referencing Deere's partnership with cybersecurity vendors like HackerOne.

Deere also claims to give farmers full control of their operational data. "John Deere doesn't have control of that. The farmers have control of that," Sanchez said. He highlighted tools in the operation center that let farmers share data with agronomists or even Deere's competitors.

"We've also built a suite of APIs in the operation center that allow farmers to move their data – again, at their wishes – move their data in and out of the operation center as they see fit," he added.

Deere recently opened IT offices in Chicago, Illinois and a tech innovation hub in Austin, Texas, which will continue to strengthen the company's IT talent pool and industry position as a tech company.