Farmers around the world are using tractor hacking to get around the digital locks on their cars. Farmers can modify and repair expensive equipment that is vital to their work, the way they could with analog tractors, thanks to this technology. At the DefCon security conference in Las Vegas on Saturday, the hacker known as Sick Codes is giving a presentation that will allow him to take control of multiple models through their touchscreens.
The security implications of the right-to-repair movement were underscored. The tractor exploitation that Sick Codes uncovered isn't a remote attack, it's a fundamental vulnerability in the devices that could be exploited by malicious actors or potentially chained with other vulnerabilities. The agriculture industry and food supply chain need to be secured in order to survive. There are vulnerabilities that help farmers do what they need to do with their own equipment.
John Deere didn't comment on the research.
Sick Codes, an Australian who lives in Asia, presented at DefCon in 2021 about tractor application programming interfaces and operating system bugs. After he made his research public, tractor companies, including John Deere, started fixing some of the flaws. “The right-to-repair side was a little bit opposed to what I was trying to do,” he tells WIRED. “I heard from some farmers; one guy emailed me and was like ‘You’re fucking up all of our stuff!’ So I figured I would put my money where my mouth is and actually prove to farmers that they can root the devices." AdvertisementSick Codes is concerned about world food security and the exposure that comes from vulnerable farming equipment, but he also sees value in letting farmers control their own equipment. He wants to liberate the tractor.
The movement has reached a turning point after years of controversy over the right to repair equipment. The Federal Trade Commission was directed by the White House to increase enforcement over practices like voiding warranties. With New York state passing its own right-to-repair law, the movement has gained unprecedented traction.
John Deere said in March that it would give more of its repair software to equipment owners. The enhanced customer solution will allow customers and mechanics to download and apply official software updates for Deere equipment themselves, rather than having John Deere apply the patches remotely or force farmers to bring products to authorized dealerships.
Older equipment is preferred by farmers because of their reliability. The most important part of the year is when they have to pull stuff out of the ground. We should all want that as well. Being able to repair or make decisions about the software in their tractor is something we want farmers to be able to do.
Sick Codes got his hands on a lot of John Deere tractor control consoles. He focused on a few models for the exploit he is presenting. Sick Codes was able to restore the device as if it were being accessed by a certified dealer after experimenting on a number of touchscreen circuit boards.
AdvertisementHe found that when the system thought it was in an environment like that, it would give more than 1.5 gigabytes of logs that were supposed to be used by authorized service providers. The logs showed the path to another timing attack that could give deeper access. Sick Codes soldered controllers onto the circuit board in order to get his attack.
Sick Codes says that two minutes after he launched the attack, a terminal popped up. It's rare in Deere land for root access to be available.
The approach requires physical access to the circuit board but Sick Codes says it would be possible to develop a tool based on the vulnerabilities. He's curious to see how John Deere will respond. He's unsure how comprehensively the company can patch the flaws without implementing full disk encryption, an addition that would mean a significant system upgrade in new tractor designs and likely wouldn't be deployed in existing equipment.
Are the first priorities? The tractor is being run with a farm-themed doom.
The story was first published on wired.com.