How bad the problem with John Deere Tractors really is, how not being open leads to incredibly bad security

Last Saturday, I sat in a crowded ballroom at Caesar’s Forum in Las Vegas and watched Sickcodes jailbreak a John Deere tractor’s control unit live, before an audience of cheering Defcon 30 attendees (and, possibly, a few undercover Deere execs, who often attend Sickcodes’s talks).

The presentation was significant because Deere – along with Apple – are the vanguard of the war on repair, a company that has made wild and outlandish claims about the reason that farmers must pay the company hundreds of dollars every time they fix their own tractors, and then wait for days for an authorized technician to come to their farm and type an unlock code.

Deere’s claims have included the astounding statement that the farmers who spend hundreds of thousands of dollars on tractors don’t actually own those tractors, because the software that animates them is only licensed, not sold:

https://memex.craphound.com/2017/04/22/john-deere-just-told-the-copyright-office-that-only-corporations-can-own-property-humans-can-only-license-it/

They’ve also claimed that locking farmers out of their tractors is for their own good, because otherwise hackers could take over those tractors and endanger the food supply. While it’s true that the John Deere tractor monopoly means that defects in the company’s products could affect farms all around the world, it’s also true that John Deere is very, very bad at information security:

https://pluralistic.net/2021/04/23/reputation-laundry/#deere-john

The company’s insistence that they are guardians of farmers and the agricultural sector is a paper-thin cover for monopolistic practices and rent-seeking. Monopolizing the repair and reconfiguration of Deere products gives the company all kinds of little gifts – for example, they can refuse to fix the tractors of dissatisfied customers unless they agree to gag-orders:

https://pluralistic.net/2022/05/31/dealers-choice/#be-a-shame-if-something-were-to-happen-to-it

And because so few of us understand information security, or monopoly, or agribusiness (let alone all three!) they can spin their dangerous, grossly unfair practices as features, not bugs. Remember when they trumpeted the fact that they’d remotely bricked some Ukrainian Deere products that had been looted by Russian soldiers?

https://doctorow.medium.com/about-those-kill-switched-ukrainian-tractors-bc93f471b9c8

What they didn’t say – and what almost no one pointed out – was that this meant that anyone who could hack John Deere’s system could brick any tractor – including, say, the Russian military’s hacking squads. They also didn’t say that Ukrainian farmers had long chafed under Deere’s corporate control, and had developed illegal third-party tractor firmware that farmers all over the world had covertly installed:

https://www.vice.com/en/article/xykkkd/why-american-farmers-are-hacking-their-tractors-with-ukrainian-firmware

And that means that the Russian looters who supposedly were foiled by Deere’s corporate remote killswitches can re-activate their tractors, by using the Ukrainian software developed in response to the company’s monopolistic practices.

Which brings me back to Sickcodes and his awesome presentation at Defcon 30 this weekend. I watched from the front row, sitting next to the repair champion Kyle Wiens, founder of Ifixit, who turned his notes into an excellent Twitter thread:

https://twitter.com/kwiens/status/1558688970799648769

As Kyle points out, Deere has repeatedly told state and federal lawmakers and regulators that farmers can’t be trusted to repair or modify their own tractors. This is obviously nonsense: indeed, for decades, Deere product development consisted of sending engineers out to document the improvements farmers had made to their tractors so the company could copy them:

https://securityledger.com/2019/03/opinion-my-grandfathers-john-deere-would-support-our-right-to-repair/

Writing for Wired, Lily Hay Newman provides some great technical details on the hack, including how Sickcodes acquired (and accidentally broke!) several 2630 and 4240 touchscreen control units, eventually demounting the main controller and soldering it into a new board that he used to probe the system:

https://www.wired.com/story/john-deere-tractor-jailbreak-defcon-2022/

He discovered that the system was designed to send an extraordinary amount of data to John Deere – his control unit tried to exfiltrate 1.5GB worth of data once he brought it online. He also discovered that as soon as he was able to conjure up a terminal, he had root access to the system.

This was great news for Sickcodes, but it raises serious questions about Deere’s information security practices. As Kyle points out, this entire system ran on deprecated, unpatched, elderly GNU/Linux software and Windows CE, an operating system that was end-of-lifed in 2018, and which was so bad that people forced to use it typically called it “Wince.”

Sickcodes discovered all kinds of security worst-practices in John Deere’s security – even in the parts of its security that were intended to secure the company’s profits from its own customers’ best interests. For example, at one point Sickcodes put the control unit into maintenance mode by repeatedly rebooting it, so that it refused to allow him to do anything until he brought it to a dealer. He discovered that all it took to convince the computer that he was a dealer was to create an empty text file on its hard-drive whose filename was something like “IAmADealer.txt” (I didn’t write down the exact filename, alas, but that’s not far off!).

Another revelation from Sickcodes: the company made extensive use of free/open source software but seems to be gravely out-of-compliance with the license terms (I’m told that organizations that do legal enforcement of free/open licenses are now aware of this).

So to recap: the company says it has to block farmers from having the final say over their own tractors because they could create security risks and also threaten Deere’s copyrights (the company even claims that locking down tractors is necessary to preventing music infringement, as though a farmer would spend $600k on a tractor so they could streamrip Spotify tracks).

But in reality, the company itself is a dumpster-fire of information security worst practices, whose unpatched, badly configured, out-of-date tractors are a bonanza of vulnerabilities and unforced errors. What’s more, the company – which claims to be staunch defenders of copyright – use their copyright locks to hide the fact that they are committing serious breaches of software copyright.

In serious information security circles, it’s widely understood that “there is no security in obscurity” – that is, hiding how a system works doesn’t make it secure. Usually, this is understood to be grounded in the fact that if you hide your work, you might make mistakes that others would spot and point out to you:

https://doctorow.medium.com/como-is-infosec-307f87004563

But there’s another problem with security through obscurity: when you don’t have to show your work to others, you can be sloppy. Whereas, if your work is open to inspection, your own aversion to being seen as slapdash will impose a rigor on your process, which will make the whole thing better:

https://doctorow.medium.com/the-memex-method-238c71f2fb46

With Deere’s security through obscurity, we see both pathologies on display. The company uses its opacity to commit sloppy security bugs, and also to cover up its violations of copyright law – and then, of course, it accuses its critics of being guilty of those two exact sins. Takes one to know one:

https://doctorow.medium.com/takes-one-to-know-one-104d7d749408

Sickcodes closed out by saying that while his hack required a lot of fiddling with the hardware, he was already scheming to build a little tool that could access and jailbreak a tractor without ripping chips off a board or doing a lot of soldering.

And then he played a custom, farm-themed version of Doom on his jailbroken tractor controller.

Source: Pluralistic: 15 Aug 2022 – Pluralistic: Daily links from Cory Doctorow

Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

 robin@edgarbv.com  https://www.edgarbv.com