The week starts with yet another security breach. At the DefCon Black Hat security conference in Los Vegas on Saturday, the hacker known as Sick Codes presented a new jailbreak that allows him to take control of several models of John Deere tractors via their touchscreen terminals.
This case demonstrates how vulnerabilities in device software can lead to fundamental security risks. If software is not continuously updated, as it should be, this poses real dangers not only to device functionality but also to people. The current hack not only has negative consequences for John Deere's interests and trustworthiness, but also has the potential to put the agricultural industry, and therefore the food supply chain, at risk.
In this blog post, we explain what has allegedly happened, how it affects equipment maker Deere & Company and other manufacturers, and present ideas on how to mitigate the risk and avoid such exploits in the future.
Sick Codes @ DEF CON 2022: Hacking the farm
Sick Codes presented “a *very* special John Deere jailbroken tractor display” in his “Hacking the farm.” Talk, as he states on Twitter. The tractor terminal was used in his presentation to run a custom farm-themed version of the game Doom. This fun excursion was meant to convey that Sick Codes had gained root access to the device and now has full control over it.
Playing Doom on a John Deere tractor display (jailbroken/rooted) at @defcon pic.twitter.com/ih0QUTGNuS— Sick.Codes (@sickcodes) August 14, 2022
To achieve this, he managed to bypass the dealer authentication and start a reboot check to restore the device. In this way, the terminal behaved as if it were being used by a certified merchant account, which greatly expanded the hacker's rights and privileges. But that's not the end of the story. Through the log history of the device, he was able to dig even deeper and discovered another potential timing attack. Part of the reason this attack was possible is that some John Deere terminals, including the 2630 and 4240 models, run unpatched Linux and unsupported Windows CE systems that are outdated and vulnerable to existing exploits.
He also soldered a custom controller directly onto the board to bypass the system's protection mechanisms. He impressively demonstrated that John Deere's devices are not protected from internal and external threats.
To be clear, Sick Codes gained physical access to the device in order to exploit the vulnerabilities within the terminal’s software stack and take advantage of the outdated software version. While it took him several months to do this hack, as he explains in an article by the Wire, it would be possible to develop a tool that would greatly simplify this process and make it more accessible for example to farmers who want to gain access to their devices.
Why Sick Codes investigates agricultural tech for vulnerabilities
Sick Codes is a hacker and researcher who uncovers security vulnerabilities. He got the idea to investigate agricultural technology in 2021, when he became interested in John Deere products because he learned from a colleague that newer agriculture terminals were connected to the John Deere website and could send and receive files. As he writes on his website, “this seemed like an awesome attack vector to start looking at”.
Turns out it was not necessary to dive deep into the massive software portal. He discovered the first issue already when logging in. But that was not anywhere near the end of it. In his research, he discovered some serious security vulnerabilities that allowed hackers to find out sensitive data about John Deere's customers based on their VIN numbers: Owner, location of operation, age and duration of subscription.
This first encounter with John Deere's software resulted in some fixes being pushed to the farmers' devices without their permission, which greatly angered some of them. This encouraged Sick Codes to give farmers more access to their own devices to help them gain back control.
What the John Deere jailbreak means for the company
Most device manufacturers won't care about fixing things that aren't directly broken, especially if their products aren't connected to the Internet. Due to this mindset, the current transition from offline-only low-tech devices to connected high-tech devices that can run powerful applications makes the agriculture industry vulnerable. This is not just a problem for farmers and businesses to deal with, but a serious problem that could threaten the food supply chain in the U.S. in particular, since John Deere owns 50% of the market. If you can brick a region’s or whole nation's tractors, you could put a large dent in their agricultural productivity.
Beyond the actual security implications, the whole incident has a major impact on John Deere, as the company is greatly affected by the ongoing public demands of the Right-to-Repair movement. Twelve farm labor, advocacy, and repair groups handed in formal complaints at the U.S. Federal Trade Commission to give the purchaser and owner of a device more control and/or access rights. Formally, this has not been possible due to restricted access to its devices’ diagnostic software and other information necessary to repair products without going to a John Deere vendor. For this reason, Sick Codes Hack is paving the way for farmers to gain access to and complete control of their equipment, saying “Liberate the tractors!”.
Since John Deere apparently provides the infrastructure for over-the-air updates, outdated software components could have been avoided in the first place. This would prevent unauthorized access and keep the device's functionality. The reliable provision of security updates for modern high-tech devices, even if they are used in rural areas, is extremely important. They are not optional if companies want to successfully position products on the market in the long term.
What the John Deere tractor hack means for other companies
It is difficult to overestimate the relevance of security updates for all companies in the context of industrial IoT, not just for those in the agricultural machinery market. Modern digital embedded products need to be regularly updated with the latest security patches, feature upgrades and additional business services. Today, software updates are the essential part of competitive solutions, without them products are becoming outdated the moment they are released.
At emteria, we are well aware of the security risks and high demand that solution manufacturers face today. That's why we provide a reliable cloud-backed over-the-air infrastructure to keep embedded devices running Android secure and up to date. We are currently preparing the release of Android 12, but we also care about keeping existing products up to date. For example, we are helping our customers to apply security patches for their eight-year-old software stacks to ensure that not only new but also customers' previous investments are protected and up-to-date. We envision that modern software development and update rollout processes in the IIoT environment will look like this everywhere in the future.
Let's summarize: Sick Codes has impressively demonstrated a jailbreak of John Deere tractors. He was able to bypass John Deere's authentication and gained access to the underlying software of the tractor terminal.
The hack demonstrates that agricultural products may open the door for external threads by relying on older versions of operating systems and lacking proper over-the-air firmware updates. Because creating and distributing software updates will gain even more important for competitive solutions, enterprises in many sectors need to invest in a reliable over-the-air infrastructure to prevent hacks and malfunctions in mission-critical devices.
Learn more about emteria's automated CI/CD pipeline for AOSP and reliable cloud OTA infrastructure that lets you automatically create and deploy over-the-air firmware updates for Android.
Links and sources:
- Wired - Lily Hay Newman - A New Jailbreak for John Deere Tractors Rides the Right-to-Repair Wave
- Sick Codes - Leaky John Deere API’s
- Sick Codes -Sick Codes @ DEF CON 2022
- The Register - Thomas Claburn - Deere & Co won't give out software and data needed for repairs, watchdog told