If you can jailbreak a phone, you can jailbreak a tractor. And if you can jailbreak a John Deere tractor, you can play Doom on its touchscreen.
At DefCon in August, Australian hacker Sick Codes showed how to do just that on John Deere’s 2630 and 4240 model tractors.
While playing a video game on a tractor’s computer system may just seem like a stunt, the demonstration brought up important questions about John Deere’s cybersecurity practices—questions made all the more urgent by its ongoing push to pivot its business model toward software and digital subscriptions.
The company unveiled a self-driving tractor at CES earlier this year and is investing billions of dollars to make farming equipment internet-connected and partially automated—able to make decisions based on analysis of cloud-based datasets managed by the John Deere Operations Center. By 2030, CEO John May expects that 10% of the company’s annual revenue will come from software subscription fees.
“It’s a pretty insecure piece of technology. That might be okay if the tractor wasn’t connected to the internet,” Kyle Wiens, co-founder and CEO of iFixit and a right-to-repair advocate, told us. “The national security problem that we have here is that John Deere owns most of the market, and they have decided in their infinite wisdom to connect most of our nation’s agricultural machinery to the internet.”
The presentation last month wasn’t the first time Sick Codes had circumvented the ag giant’s security. Last year, he hacked into the company’s mainframe, prompting the Department of Homeland Security to get involved, he told Emerging Tech Brew.
In response to questions, John Deere spokesperson Jen Hartmann pointed us to previous statements on cybersecurity.
Growing pains
Transitioning from a tractor company to a “data-harvesting conglomerate, whatever it is,” is a steep learning curve, Sick Codes said, and in his view, John Deere has made some missteps.
“They’ve got a responsibility to take care of the entire food chain,” he said. “They’ve got insane amounts of accountability and they’re also publicly traded. And they’re just not pulling their weight.”
Earlier this year, the FBI warned that farmers and other agricultural businesses could be enticing targets for ransomware attacks.
If a bad actor “wanted to take out America’s agriculture, all you would need to do is run these tractors into the red line and burn their engines out. You wouldn’t even need to drive them,” Wiens said.
Companies often have bug-bounty programs that reward external security researchers and hackers for finding security issues in their products. John Deere established one last year, but the success of the program remains unclear, according to Wiens. John Deere declined to specify how many bug bounties it has processed through its responsible disclosure program.
Keep up with the innovative tech transforming business
Tech Brew keeps business leaders up-to-date on the latest innovations, automation advances, policy shifts, and more, so they can make informed decisions about tech.
Automakers are also facing new cybersecurity concerns, but the standards that are becoming widely accepted in the EV industry, for example, are not yet well understood or regulated for other autonomous and connected machinery, David Chaddock, director of cybersecurity at consulting firm West Monroe told us.
“When you talk about all the equipment, it’s almost on a spectrum of more toward the Wild, Wild West,” he said. “Autonomous vehicles, which may or may not be electric—that kind of stuff, there right now is no real federal regulation of ‘you must.’”
The industry also faces a potential challenge of hiring software developers or cybersecurity experts into legacy companies that may not be perceived as high-tech, Chaddock said.
“Right now, across the board, you’ve got a talent shortage. When it comes to cybersecurity, that’s even more amplified,” Chaddock told us.
Hartmann told us in an emailed statement that the company has opened two “tech hubs” in Austin, TX, and Chicago, as well as working with “several universities” to help attract new tech talent.
Zoom out
Beyond security concerns, Deere’s digitization has put a new strain on a pre-existing issue: longstanding frustration that the company has limited the ability for farmers to fix their own equipment.
Hartmann said via email that in May the company made its diagnostic service tool available to customers and independent repair shops, and that in 2023 it plans to introduce an "enhanced customer solution that includes a mobile device interface and the ability to download secure software updates directly to embedded controllers on select John Deere equipment with 4G connections."
The diagnostic software starts at $1,200 and is a limited version of what Deere technicians themselves have.
“John Deere has diagnostic software on laptops that their technicians have that they will not provide to the farmers,” Wiens said. “So the computer in the tractor will see, ‘Hey, this sensor reading is out of calibration.’ And the tractor just won’t start up.”
Wiens compared the tractor to an iPhone before the App Store, because John Deere allows only its own software to run on its machines.
“If you could, imagine you could make your own version of that diagnostic software tool, run it on the tractor, and you’d be good to go. But the tractor’s locked down. So being able to install and run Doom—it’s a silly example, but it shows that we can run arbitrary code on this thing,” he said.