A recent thread in tech news has been BMW’s move towards nickel-and-diming owners of its cars with microtransactions, a move so popular that BMW software hacks are now available. This is a shard of a wider debate about modern technology which, from cars to iPhones, has in many cases been trending towards locking the user out of the internals of something they apparently own. This is most relevant when it comes to the right to repair old equipment without having to involve the original manufacturer (and of course pay an inflated fee for the privilege).
While the mainstream reacted with disgust to the BMW stuff, anyone who’s ever been near a farm probably wasn’t so surprised: farming equipment has been screwing them like this for decades. The biggest firm in the agricultural manufacturing field is John Deere, which makes all kinds of machinery that runs on the company’s proprietary software: which both monitors farmers extremely closely and force them to involve John Deere whenever there’s a problem. These tractors are designed so that farmers can’t fix problems themselves.
This is on one level a nasty monopoly practice, but the implications of it are much wider. There’s the simple fact that a huge amount of the world’s food supply depends on John Deere equipment, and so any large-scale software problems could be catastrophic. John Deere itself might not have any plans to do such a thing, but then again it did recently show it could ‘brick’ Ukrainian farming equipment stolen by the Russians. The scarier prospect is that so much of the farming industry depends on John Deere keeping its systems secure from bad actors.
Most farmers, meanwhile, would probably much prefer a world where they could maintain their own machinery and not have to pay engineers to come out and tap a few commands on a tablet. Tough cheese, cheesemakers!
The company’s various rationales for its big closed system contains some ridiculous arguments, including that farmers don’t own these tractors but license them, and that locking farmers out is for their own good.
Needless to say the John Deere system has attracted some white hat attention, and Australian hacker Sickcodes recently gave a presentation during the security event Defcon, held at Caesar’s Forum in Las Vegas, where to audience cheers they executed a jailbreak on the control unit of a John Deere tractor. Then, they demonstrated their control of the system by playing a special farm-modded version of Doom on the hardware.
The Doom flourish is lovely, and came about thanks to help from Doom modder Skelegant
Playing Doom on a John Deere tractor display (jailbroken/rooted) at @defcon pic.twitter.com/ih0QUTGNuSAugust 14, 2022
With epic just-in-time help by NZ based doom modder @Skelegant. She helped get this run using DeHacked Doom, since gzdoom was a mission. Together, we teamed up to make this happen. She is amazingly talented. pic.twitter.com/OfVDMvRhzRAugust 14, 2022
Blasting through fields aside, the implications of this hack could be seriously big within the agriculture industry. One attendee of the talk was prominent tech thinker Cory Doctorow, who subsequently wrote:
“While it’s true that the John Deere tractor monopoly means that defects in the company’s products could affect farms all around the world, it’s also true that John Deere is very, very bad at information security:”
Essentially John Deere has the entire agricultural industry by the short-and-curlies, justifies this with dubious claims about why the status quo it has constructed is essential, and has power over farmers that it has no right to hold. As the Ukrainian incident showed, and as Doctorow pointed out at the time, “this meant that anyone who could hack John Deere’s system could brick any tractor—including, say, the Russian military’s hacking squads.”
Another attendee at the talk was right-to-repair advocate Kyle Wiens, who pointed out that John Deere’s control unit is built on outdated and unpatched systems:
Sick Codes has jailbroken a John Deere, and this is just the beginning. Turns out our entire food system is built on outdated, unpatched Linux and Windows CE hardware with LTE modems. pic.twitter.com/OLDBckluxrAugust 14, 2022
“John Deere has repeatedly told regulators that farmers can’t be trusted to repair their own equipment,” writes Wiens. “This foundational work will pave the path for farmers to retake control of the equipment that they own.”
The jailbreak developed by Sickcodes is not remote, but requires physical access to the equipment. Regardless of hacks, however, John Deere is also facing serious government and regulatory pressure. The European Union announced earlier this year it was establishing a right to repair principle, while some US states have already passed their own right-to-repair laws: the pressure resulted in the company announcing this March that it would widen access to repair tools.
So: this hack runs Doom, and also has potentially enormous consequences for agribusiness: or, at the very least, for farmers who’ve had enough of John Deere’s practices. Among Sickcodes’ many findings were that the control system was sending huge amounts of data back to John Deere (once he had admin access, the unit tried to send 1.5GB of data), various security backdoors including one enabled through placing an empty text file on the drive, and John Deere’s apparent reliance on open source software that may not be being used appropriately under its licensing terms.
Sickcodes says he’s working on an easier method for executing the hack, as his demonstration was pretty involved, in order that more farmers can make practical use of this thing.