This story has been updated with a response from John Deere.*
A hacker known as Sick Codes presented at DefCon on Saturday a new jailbreak for a John Deere tractor that allows him to take control of a tractor model through its display.
After the exploit was described at DefCon in Las Vegas, it quickly attracted attention on social media from the right-to-repair movement, including allies of farmers who want to be able to modify their expensive farm equipment. Others worried the hack shows the vulnerability of the entire food production system.
“Sick Codes has jailbroken a John Deere, and this is just the beginning,” tweeted Kyle Wiens, the CEO of iFixit and a right-to-repair advoccate. “Turns out our entire food system is built on outdated, unpatched Linux and Windows CE hardware with LTE modems.”
Wiens later tweeted the hack is “foundational work that will pave the path for farmers to retake control of the equipment they own.”
*John Deere issued a statement saying Sick Codes reverse engineered the company's proprietary software and assured the public that his hack put data, networks or any customer or dealer equipment at risk. The company said it embraces the "broader ethical hacking community to ensure our security capabilities continue to lead the industry."
The right-to-repair movement has gained steam in recent months, partly over interest in iPhone jailbreaking but other devices as well such as medical equipment and automobiles. An executive order by the White House issued last year directed the Federal Trade Commission to increase enforcement over manufacturer practices of voiding warranties when owners conduct outside repair. The New York State Assembly also passed a right-to-repair law by 147-2 on June 3.
Sick Codes was able to show, somewhat humorously, a corn-themed version of “ Doom” running on the display of a John Deere tractor. The exploit was not a remote attack and was shown at the DefCon event on a Model 4240 John Deere, according to a tweet that Sick Codes sent after the event.
Sick Codes is an Australian who lives in Asia, according to Wired. In an interview with the publication, he recalled how he presented at DefCon in 2021 about vulnerabilities in tractor application programming interfaces, which prompted John Deere and other tractor companies to fix some programming flaws. But then, farmers and others in the right-to-repair movement complained. “I figured I would put my money where my mouth is and actually prove to farmers that they can root the devices,” he said in the latest Wired interview. “Liberate the tractors!”
“We want farmers to be able to repair their stuff for when things go wrong and now that means being able to repair or make decisions about the software in their tractors,” he also told Wired.
In his tweets and his Wired interview, Sick Codes explained his jailbreak took many months to bypass John Deere’s dealer authentication requirement before he was able to game a reboot check to restore the device as if it were being accessed by a certified dealer. Inside, he found the system would offer up logs to help the authorized dealers diagnose problems as well as a pathway to another timing attack for deeper access. He eventually soldered controllers directly onto the circuit board and was able to bypass the system protections.
“I launched the attack and two minutes later a terminal pops up,” he said. “I had root access, which is rare in Deere land.”
He told Wired that Deere might be able to patch the flaws with full disk encryption, a big system overhaul.
While Deere was not available for immediate comment on Sick Codes’ Saturday presentation, the company did issue a statement a year ago saying various claims of exploits did not enable access to customer accounts, dealer accounts or sensitive personal information. “John Deere considers the security of our systems and the data within them a top priority and we work tirelessly to identify and address any misconfigurations as quickly as posslbe,” Deere said in 2021. “Deere also recognizes the important role our products play in food security and within the global food supply chain.”
In 2021, Sick Codes described how control of a tractor by a bad actor could lead to overspraying of fields with pesticides leading to a “denial of service” for that field as a productive part of the food supply chain. The presentation is on Youtube.
*Here is John Deere's entire statement following the Sick Codes hack:
"John Deere’s top priority is, and will always be, to protect our customers, their machines, and their data. The capabilities that Sick Codes demonstrated during his recent presentation at DefCon were obtained through invasive/persistent physical access, disassembly of a hardware product and reverse engineering of proprietary software. At no point were a customer or dealer’s equipment, networks, or data at risk.
"Any researcher, given unfettered physical access and time, will eventually be able to adversely impact the operations of a device, and no company, including John Deere, is immune to such access. However, we are deeply committed and work tirelessly to safeguard our customers, and the role they play in the global food supply chain.
"In addition to a dedicated team of over 300 product and information security professionals, we also work closely with industry-leading cybersecurity partners like HackerOne and embrace the broader ethical hacking community to ensure our security capabilities continue to lead the industry."
RELATED: How to think, move, act like a farmer with precision autonomous farm tech: Bansal