Q & A: Sick Codes talks tractor hacks
At the DEF CON security conference in Las Vegas last month, the white hat hacker known as Sick Codes unveiled a new jailbreak for John Deere & Co. tractors. He broke open the computer console and found ways to get inside a roster of the company’s tractors and combines. And then, to show just how thoroughly he could reconfigure the console, Sick Codes ran a modified, tractor-themed version of the 1990s shooter game Doom on it.
His presentation on the DEF CON stage was the big headline out of the conference, and it did two things. First, it reignited a debate over farmers’ right to repair their own equipment. John Deere owns the proprietary software that runs just about every new machine, so farmers must go through official dealerships to fix anything from a faulty sensor to an engine failure.
And second, Sick Codes’ presentation once again highlighted security concerns in today’s high-tech farming equipment. While Sick Code’s work was a pure hardware hack, it did focus minds on the vulnerabilities in the food supply chain, particularly with the introduction of the Internet of Things (IoT) on the farm. The Wall Street Journal reported this week that Deere & Co wants to connect 1.5 million machines in service to its cloud-based operations center. Click Here producer Will Jarvis interviewed Sick.Codes to find out more about the hack and what motivated it. The interview has been edited and condensed for clarity. Click Here reached out to John Deere with specific questions, and they declined to comment.
Click Here: Of all the things to hack, why tractors?
Sick Codes: So tractors are kind of like this thing that I’ve never been inside of (laughs). So I’ve never actually been in a tractor. It’s kind of this thing, like, everyone knows what it is, but nobody knows that it’s fully tech-enabled: WiFi, Bluetooth, BLE [Bluetooth Low Energy] syncing up to the vehicle next to you. It just seemed really interesting to find a niche that nobody was hacking, or hacking publicly.
CH: Why John Deere? There are other companies in this space…
SC: Well, they are the most prolific, the most famous, the most iconic. They’re literally everywhere. And it was just one of those companies that had to have someone take a look at it. And I guess I didn’t really look at the other companies because they were kind of boring. I don’t work there. I’m not at the behest of them. I don’t own a tractor. I don’t have any brand alignments or anything like that. So I’ve kind of got this unique position where I don’t have anything to lose.
CH: So you’ve said you’ve never actually been in a tractor. How did you get your hands on the hardware?
SC: Well, I definitely have connections now into agriculture. I’ve got direct lines into John Deere and you know, obviously, we’re in a love-hate relationship. We need marriage counseling, honestly. We need marriage counseling.
I do know a lot of people that can access tractors. You know, if I find a model that I want to play with or something like that, I’ll ring up a couple of guys and they’ll be able to reach out and find the model. So I do have the capability to get into a tractor if I wanted to. One thing I don’t have is the ability to go to the John Deere factory. They won’t even invite me. I’ve actually asked for an invite too, which is kind of weird, but they still don’t want to invite me.
CH: How did you actually get the console?
SC: I bought one off eBay.
CH: How much did it cost?
SC: It was about $7,000.
CH: Did you know right away what you would do with that console?
SC: So at the start I remember buying it, and I had no idea I was gonna run Doom on it. I didn’t even think it was capable of running Doom. I thought that I was going to buy it and deconstruct the library, punch out a few CVEs [Common Vulnerabilities and Exposures] on John Deere’s equipment and then, you know, flick it off to CISA [Cybersecurity and Infrastructure Security Agency]and then get it all done.
However, I ended up finding out that the code is quite unique. It’s Wind River Linux, which is very popular among defense contractors and things like that. It’s quite a substantial operating system, and it is open source. It’s the actual Linux that’s used in stinger missiles and F-18s and F-35s. So it is an important part of infrastructure. But it’s also important to test it, right? And then there’s also right-to-repair involved, which is in a separate lane. But they do intersect at certain points.
CH: How did you go about modifying it?
SC: Well, the best part about John Deere is they use a universal display. So it’s one display [that] goes in everything in terms of machines. We call ’em machines — combines, other harvesters, beet harvesters, sugarcane harvesters, lettuce harvesters. There’s so many different machines, but for John Deere, they use one specific display, and it’s a generational display. All of the coders and developers of that company are working on the same one, and that’s obviously a target.
It’s an expensive item to own, because you need a tractor to buy one. Why else would you buy one, right? Except if you’re a guy like me living in Asia and hacking John Deere.
CH: What was the first step?
SC: So I bypassed the [dealer authentication mechanism] with a guy’s help from Brazil. I’d used the official John Deere software manager, downloaded 25 gigs of software RPMs for the red hat operating system, and did, in fact, restore the tractor to factory settings without John Deere’s assistance. And that was the first step of it.
CH:What other steps did it take?
SC: The second part was actually modifying the system. Augmenting it, in fact — actually just adding to the system and screwing it up many times. I think I de-solded the flash memory about 15 times, trial and error, getting in. Then, I ran a tractor edition of Doom. So it was Doom customized with a New Zealand modder named “Skelegant.”
We made this mod, which is now downloadable. You can actually play this mod on your PC and have a crack. It’s a running meme, but it’s also a message that this stuff isn’t as secure as it looks. And John Deere may not be as secure as they sound.
It did take me a while to break in. I could do it now in about an hour, but it was a ‘sophisticated attack,’ as John Deere said, and it was also persistent and invasive. But it was hardware, and it was physically involved. So it’s not remote. And obviously I’m not gonna publish remote, unpatched RCEs [remote code executions] at DEF CON if I did have one.
[Editor’s note: In a statement, John Deere responded that “at no point were a customer or dealer’s equipment, networks, or data at risk. Any researcher, given unfettered physical access and time, will eventually be able to adversely impact the operations of a device, and no company, including John Deere, is immune to such access. However, we are deeply committed and work tirelessly to safeguard our customers, and the role they play in the global food supply chain. In addition to a dedicated team of over 300 product and information security professionals, we also work closely with industry-leading cybersecurity partners like HackerOne and embrace the broader ethical hacking community to ensure our security capabilities continue to lead the industry.”]
The Doom hack wasn’t your first encounter with John Deere. Can you talk more about your agriculture hacks?
SC: Well last year — I started myself and then was I joined by a group of hackers — we ended up breaching in John Deere’s mainframe, getting email addresses, customer data, things like that. So we pretty much rocked the boat of the whole online cloud infrastructure that they had, forcing them to get Okta site-wide. We had the Okta sign-in tokens, for example.
But some of the right-to-repair guys did reach out and they were pissed off that I kind of fixed things for Deere. They think that’s kind of anti-right-to-repair and I said, Okay, I’ll hear them. And that’s when I decided to just break into the hardware that I own and prove to farmers that they can, in fact, jailbreak their own tractors without having to ask John Deere.
CH: Were you surprised by the reaction to this year’s presentation?
SC: I just thought that it would be interesting to people, but I didn’t realize it was gonna be so interesting to so many people. I thought it was just agriculture and cyber security. But it turned out to be gaming news, it turned out to be national security news, it turned out to be gadget news. And obviously it runs Doom, so Reddit loved the meme as well.
CH: John Deere is not thrilled with your work or your disclosures about it all. What do you make of that?
SC: Well, that’s kind of what I’m trying to explain to Deere, is that I’m not the boogeyman in the room. The real boogeyman is the person who’s gonna come in and destroy all your data, hold it ransom, disrupt the food supply chain. What I’m trying to prove is that there are issues in ag. And it’s kind of been this elephant in the room that people haven’t been looking at, whereas they eat all day, but they don’t know where it comes from.
It’s kind of that Food Inc.-style situation. It’s like, where does this food come from? Well, it comes from a Bluetooth, low-energy grain cart. It just goes on and on.
CH: Have you heard from many farmers since your DEF CON talk in August?
SC: Yeah, a lot of farmers have reached out — a lot of John Deere farmers, a lot of non-John Deere farmers. And it’s kind of interesting to see where the discussion is going. A lay person or non-technical [person], they’re saying, ‘Well, hang on. This guy’s playing Doom on something that I use every day. What does that mean?’ It’s this question that has to be addressed.
If you ask a farmer if they would repair their own iPhone screen, if they say no, then they’re probably not that keen on jailbreaking their tractor. But having the bargain ability, having the ability to go to your manufacturer and saying, look, I’ll just jailbreak this and fix it myself. It’s one of those extra stepping stones that there is proof of concept. Right-to-repair can use that as ammunition to kind of dispel this cybersecurity myth that if right-to-repair was to pass, there would be all these vulnerable tractors. Look, the tractors are already vulnerable!