The big picture: Casual hackers love to attempt to mod odd hardware to run Doom. One Australian hacker used this pastime to prove that John Deere tractors lack proper security software. At the same time, he offered a glimmer of hope to farmers and mechanics who have been fighting an uphill battle against a company that's hostile to DIY repairs.
Were humanity to ever destroy itself, one of the most interesting relics aliens would find would undoubtedly be the many different objects running a strange piece of software that involves killing hordes of demons to heavy metal riffs. There are already boatloads of devices never meant to run Doom but run it nevertheless. Thanks to "Sick Codes," an Australian security expert, there's yet another way to rip and tear for the would-be DoomGuys among us.
At DEF CON 2022 last week, he demonstrated how to take complete control of some John Deere farming equipment. He even took it a step further by doing what every demon slayer in their right mind would do — run the one classic game that pushed the entire first-person shooter industry forward and the existing hardware at the time into overdrive.
Sick Codes says he spent several months working with numerous John Deere tractor models and eventually took control of a John Deere 4240 touchscreen console equipped with an Arm-based NXP I.MX 6 system-on-chip. This model runs Wind River Linux 8, but some of the other models he worked on were running Windows CE.
Technically, the hacker didn't devise an exploit. Instead, he figured out a way to simply jailbreak the device. The touchscreen displays on John Deere tractors have fundamental security vulnerabilities, leaving them wide open to ransomware attacks. In other words, one can bypass the digital locks on these tractors, and from there, the possibilities are endless as you can run any software compiled for that platform.
To be clear, this isn't entirely straightforward. It requires intimate knowledge of embedded electronics and operating systems. Sick Codes first found that it was possible to fool the system into rebooting in a different mode, which should only be accessible to an authorized dealership. This internal system allowed access to over 1.5 gigabytes of logs that service providers use to diagnose issues with the tractors.
The logs gave Sick Codes an idea of how to bypass system protections with some modifications to the controller board. It would also be possible to build a tool based on the vulnerabilities that would make the jailbreak much easier for the layman to run software with root access. Of course, Sick Codes demonstrated this by installing a custom installation of one of our favorite retro FPS courtesy of a New Zealand-based modder that goes by "Skelemom" on Twitter.
John Deere tractors are notorious for having locked-down software that prevents third-party or DIY repairs. Earlier this year, Russian troops stole $5 million worth of combines only to find they had been remotely disabled by the manufacturer. However, this jailbreak could offer farmers a way to repair their equipment without going through the expense and hassle of taking their tractors to an authorized dealer whenever repairs are needed.
"Sick Codes has jailbroken a John Deere, and this is just the beginning," right-to-repair advocate and CEO of popular repair website iFixit Kyle Wiens notes. "Turns out our entire food system is built on outdated, unpatched Linux and Windows CE hardware with LTE modems."
As for John Deere, the company officially maintains that it can't trust farmers to fiddle with all this new-fangled equipment. Still, mounting public pressure has already forced the manufacturer to promise an "enhanced self-repair solution" so farmers can apply software patches without going to the dealer. The company set a tentative release window for 2023.
Masthead credit: Karl Wiggers