Jailbreaking John Deere: “Doom” on a tractor reveals big edge security implications

At DEF CON earlier this month, he showed off how to break into a vintage Deere monitor and played the classic first-person shooter Doom game on Deere’s hardware.

Last year, he also presented at DEF CON. There, he gave information about how he and researchers from the group Sakura Samurai uncovered flaws in Deere software and applications.

“For this year’s talk, Sick Codes turned his attention from Deere’s software and services to the hardware that is installed in its farm machinery, which regularly sells for high six- and even seven-figure sums”, explained Paul Roberts in a SecurityLedger.com article.

“Most Deere equipment manufactured in the last 20 years is software-driven, with farm implements equipped with in-cabin touch screen monitors that are used to control an array of ECUs (Electronic Control Units) on the equipment. That interface is supplemented by data from cellular mobile telematics gateways (MTGs) that communicate with cloud-based servers run by Deere, as well as satellite-based connections for real-time GPS signals that are used to direct the device in the field,” Roberts explained.

Farm equipment is expensive and may be used for decades, as opposed to smartphones or laptops, which only last a few years. That has resulted in a lucrative aftermarket for parts. For example, 25-year-old Deere 1800 series “Brown Box” monitors running Windows CE, which Microsoft no longer supports, sell for hundreds of dollars each.

At the heart of the Deere monitors that Sick Codes hacked as part of a year-long effort: the WindRiver Linux operating system. The jailbreak could potentially allow anyone to modify John Deere equipment machinery. In addition, the researcher claims he discovered many serious, exploitable software vulnerabilities.

This revelation could severely affect agricultural equipment security and the food supply chain.

Deere is the largest agricultural equipment manufacturer worldwide and sells twice as much equipment as its two next-largest competitors combined. Various other industries, including construction, forestry, and landscaping, also use the company’s products.

The fact that most vital equipment in the US food supply operates on outdated or no longer-supported operating systems is a severe cause for concern. Cyber attacks could devastate American agriculture, for example.

While the release of the jailbreak highlights the need for better security in agricultural equipment, it also raises questions about the competition between farm equipment manufacturers.

Many farmers are already unhappy with Deere’s monopoly on repair and service. They have accused the company of using its dominance to charge high prices for parts and services. The release of a jailbreak could make it easier for farmers to be less dependent on Deere and use third-party software, for example.

Roberts reported that Deere will make diagnostic software and information more available to farmers, who currently must rely on John Deere authorized repair professionals for most substantive maintenance. The plans have been criticized as insufficient because of Deere’s pricing of software needed for repairs, as well as restrictions on common repairs.

Analysis

Sick Codes’ extensive work preceding his jailbreak of John Deere agricultural equipment was extensive and not easy to replicate. Still, it raises challenging questions about farm equipment security and the competition between manufacturers. Most vital equipment in the US food supply operates on a no-longer-supported operating system and is a serious cause for concern. Cyber attacks could devastate American agriculture, as mentioned.

The jailbreak release also highlights the need for better security in agricultural equipment. Manufacturers need to move beyond the old “security through obscurity” paradigm and address the vulnerabilities revealed by researchers like Sick Codes.

This could be a positive development for farmers, who have long been unhappy with Deere’s monopoly on repair and service. The jailbreak, while primarily intended to highlight security flaws, could impact the right-to-repair initiatives. Balancing the quality of aftermarket parts and services is a legitimate concern, but that must be balanced with a right to repair along with a right to better security. Better security, more broadly speaking, doesn’t apply to just John Deere equipment — all technology vendors, equipment manufacturers, software developers need to pay more attention to securing edge devices in order to keep economies running.

Article Topics

Doom  |  hacking  |  John Deere  |  repair  |  security  |  vulnerability  |  Wind River  |  Windows CE