The hacker who wants to help farmers "crack" tractors

The hacker who wants to help farmers crack tractors

Around the world, farmers are resorting to hacking tractors to get around digital locks imposed by manufacturers. Similar to the so-called iPhone jailbreak, farmers are able to modify and repair expensive agricultural vehicles - which play an essential role in their work - as they could with analog tractors. At DefCon, the safety conference that was held this month in Las Vegas, the hacker known as Sick Codes unveiled a new method of unlocking tractors from the US company John Deere & Co., which allows you to take the control of different models through the touchscreen.

The discovery highlights the consequences on the security front of the movement for the "right to repair". Even if the gimmick developed by Sick Codes is not a remote attack, the vulnerabilities involved in the method developed by the hacker highlight security issues that could be exploited by attackers or potentially linked to other flaws. The security of the agricultural industry and the food supply chain is critical, as incidents such as the 2021 Jbs Meat ransomware attack have shown. At the same time, however, vulnerabilities such as those encountered by Sick Codes help farmers work with their equipment. John Deere did not respond to US's request for comment regarding the discovery submitted by the hacker.

Sick Codes, an Australian living in Asia, had already participated in DefCon 2021, with a presentation on the application programming interfaces of tractors and the bugs of their operating systems. After going public with his research, several tractor manufacturers, including John Deere, began to correct some of the flaws. "The right to repair movement was a bit contrary to what I was trying to do," Sick Codes tells US. "I spoke to some farmers; one emailed me saying: ' You're ruining everything! 'So I thought I'd prove to farmers that it is possible to root devices. "

Sick Codes today says that it is primarily concerned about the safety of the global food sector and the risks that come with it. vulnerable farm equipment, but also recognizes the importance of allowing farmers to have full control of their equipment.

Right to repair After years of controversy in the United States over the "right to repair" of purchased equipment, the movement seems to have reached a turning point. Last year, the White House issued an executive order ordering the Federal Trade Commission to step up efforts to limit practices such as voiding the warranty for external repairs. This, coupled with the New York State's approval of a law on the right to redress and the forms of creative pressure exerted by activists, has generated unprecedented momentum for the movement.

Facing the escalating pressured, John Deere announced in March that it would make more repair software available to owners of its agricultural machinery. On that occasion, the company also said it will introduce an "advanced solution for customers" next year, so that customers and mechanics can download and apply official software updates for Deere equipment themselves, rather than resorting to. remotely patch or force farmers to take vehicles to authorized dealers.

"Farmers prefer older equipment simply because they want reliability. They don't want something to fail at the most important time of the year , when it is time for harvest - explains Sick Codes -, and this is what we should want too. We want farmers to be able to repair equipment when it is not working, and this means having the freedom to make decisions related to software of their tractors ".

The hacker method To develop his method of unlocking machinery, Sick Codes worked on several and generations of touchscreen consoles to control John Deere tractors. Ultimately he focused on just a few popular models, including the 2630 and 4240. It took several months of experimenting with different touchscreen circuit boards to find ways to circumvent the authentication requirements of John Deere dealers, but at the end Sick Codes was able to reset the device and access it as if it were a certified dealer.

The hacker found that at this point the system made available more than 1.5GB of logs designed to help service providers authorized to diagnose machinery problems. The data also revealed the path for another potential attack, which could grant even wider access to tractors. Sick Codes soldered the controllers directly to the circuit board and eventually managed to bypass the system protections. "I launched the attack and two minutes later a terminal appeared - says Sick Codes in reference to the program used to access the command line interface of a computer -. I obtained root permissions, which is rare in the universe of Deere ".

The approach requires physical access to the circuit board, but Sick Codes says it would be possible to develop a vulnerability-based tool to more easily unlock tractors. The Australian hacker says he's curious to see what John Deere's reaction will be. It is not certain that the company will be able to fully correct the flaws without a significant system overhaul in new models of its tractors, which probably would not be implemented in existing equipment anyway.

This article originally appeared on US.

Powered by Blogger.