A new jailbreak for John Deere tractors rides the right-to-repair wave

August 15, 2022:

A new jailbreak for John Deere tractors rides the right-to-repair wave

Farmers around the world have turned to tractor hacking so they can bypass the digital locks that manufacturers impose on their vehicles. Like insulin pump “looping” and iPhone jailbreaking, this allows farmers to modify and repair the expensive equipment that’s vital to their work, the way they could with analog tractors. At the DefCon security conference in Las Vegas on Saturday, the hacker known as Sick Codes is presenting a new jailbreak for John Deere & Co. tractors that allows him to take control of multiple models through their touchscreens.

The finding underscores the security implications of the right-to-repair movement. The tractor exploitation that Sick Codes uncovered isn’t a remote attack, but the vulnerabilities involved represent fundamental insecurities in the devices that could be exploited by malicious actors or potentially chained with other vulnerabilities. Securing the agriculture industry and food supply chain is crucial, as incidents like the 2021 JBS Meat ransomware attack have shown. At the same time, though, vulnerabilities like the ones that Sick Codes found help farmers do what they need to do with their own equipment.

John Deere did not respond to WIRED’s request for comment about the research.

Sick Codes, an Australian who lives in Asia, presented at DefCon in 2021 about tractor application programming interfaces and operating system bugs. After he made his research public, tractor companies, including John Deere, started fixing some of the flaws. “The right-to-repair side was a little bit opposed to what I was trying to do,” he tells WIRED. “I heard from some farmers; one guy emailed me and was like ‘You’re fucking up all of our stuff!’ So I figured I would put my money where my mouth is and actually prove to farmers that they can root the devices.”

This year, Sick Codes says that while he is primarily concerned about world food security and the exposure that comes from vulnerable farming equipment, he also sees important value in letting farmers fully control their own equipment. “Liberate the tractors!” he says.

After years of controversy in the US over the “right to repair” the equipment one purchases, the movement seems to have reached a turning point. The White House issued an executive order last year directing the Federal Trade Commission to increase enforcement efforts over practices like voiding warranties for outside repair. That, combined with New York state passing its own right-to-repair law and creative activist pressure, has generated unprecedented momentum for the movement.

Facing mounting pressure, John Deere announced in March that it would make more of its repair software available to equipment owners. The company also said at the time that it will release an “enhanced customer solution” next year so customers and mechanics can download and apply official software updates for Deere equipment themselves, rather than having John Deere unilaterally apply the patches remotely or force farmers to bring products to authorized dealerships.

“Farmers prefer the older equipment simply because they want reliability. They don’t want stuff to go wrong at the most important part of the year when they have to pull stuff out of the ground,” Sick Codes says. “So that’s what we should all want too. We want farmers to be able to repair their stuff for when things go wrong, and now that means being able to repair or make decisions about the software in their tractors.”

To develop his jailbreak, Sick Codes got his hands on numerous generations of John Deere tractor control touchscreen consoles. But ultimately he focused on a few models, including the widely deployed 2630 and 4240 models, for the exploit he is presenting. It took experimentation on a number of touchscreen circuit boards over many months to find bypasses to John Deere’s dealer authentication requirements, but eventually Sick Codes was able to game a reboot check to restore the device as if it were being accessed by a certified dealer.

He found that when the system thought it was in such an environment, it would offer more than 1.5 GB worth of logs that were meant to help authorized service providers diagnose problems. The logs also revealed the path to another potential timing attack that might grant deeper access. Sick Codes soldered controllers directly onto the circuit board and eventually got his attack to bypass the system’s protections.

“I launched the attack, and two minutes later a terminal pops up,” Sick Codes says of the program used to access a computer’s command-line interface. “I had root access, which is rare in Deere land.”

The approach requires physical access to the circuit board, but Sick Codes says it would be possible to develop a tool based on the vulnerabilities to more easily execute the jailbreak. Mostly he says he is curious to see how John Deere will react. He’s unsure how comprehensively the company can patch the flaws without implementing full disk encryption, an addition that would mean a significant system overhaul in new tractor designs and likely wouldn’t be deployed in existing equipment.

The first priority? Running custom farm-themed Doom on the tractor, of course.

This story originally appeared on wired.com.

Source link