According to an Aug. 13 report from Wired, a hacker known as "Sick.Codes" presented a jailbreak he performed on John Deere 2630 and 4240 displays at DEF CON 2022, an annual hacking convention in Las Vegas held on Aug. 11-14.
The article states that Sick.Codes' jailbreak — when a user gains full access to the root operating system of a product — allowed him to take control of multiple models of John Deere tractors through their displays.
So what do dealers need to know?
1. The jailbreak involved modifications to the displays' circuit boards.
The Wired article clarifies that the hack was not done remotely but rather came from Sick.Codes' altering of 2630 and 4240 units' circuit boards in order to "bypass John Deere's dealer authentication requirements" and give himself full access to the displays.
"He found that when the system thought it was in such an environment, it would offer more than 1.5 GB worth of logs that were meant to help authorized service providers diagnose problems," the report states. "The logs also revealed the path to another potential timing attack that might grant deeper access. Sick Codes soldered controllers directly onto the circuit board and eventually got his attack to bypass the system's protections."
Sick.Codes did state, however, that it could be possible to develop a tool based on the vulnerabilities he discovered to allow the jailbreak to be performed more easily, whereas his hack came after months of trial and error.
An example of one of Sick.Codes' early attempts at jailbreaking a John Deere display, known as a Jtag.
2. Sick.Codes says the jailbreak was conducted to give farmers access and warn manufacturers.
An Aug. 18 report from ABC News Australia stated Sick.Codes' goal in hacking these Deere displays was to "show farmers it was possible to take control of their equipment, but also to encourage companies to make the security of these systems a priority."
"There are issues that need to be addressed … they're [John Deere] the leading cybersecurity ag company at the moment and I'm still hacking them," Sick.Codes said to ABC. "I wonder what everyone else is doing. Some of the other companies, nobody's looked at them, I wonder what surprises are out there."
See a full presentation Sick.Codes gave at the hardware security convention hardwear.io detailing the hack below.
3. John Deere says no dealer or customer data was exposed in the hack.
In the same ABC report, John Deere stated that:
"The capabilities that Sick Codes demonstrated during his recent presentation at DEF CON were obtained through invasive/persistent physical access, disassembly of a hardware product, and reverse engineering of proprietary software. At no point were a customer or dealer’s equipment, networks or data at risk."
4. John Deere released a video about its own tractor hacking event shortly after the Wired article was published.
Shortly after the Wired article was published, John Deere released a video on its Youtube channel exploring its first Cyber Tractor Challenge event it held in July of this year, when it asked 20 college students to hack a John Deere tractor to test Deere's digital security.
John Deere ISG Business Information Security Officer Carl Kubalsky states in the video that, "There's a real need for people that have the talents that they [the students] have to come and help us find where there might be some holes or opportunities in our product so that we can button those up."
5. This isn't Sick.Codes' first time hacking John Deere equipment.
Sick.Codes has previous experience with bypassing security measures on John Deere equipment. He also presented at last year's DEF CON, where he showcased a different exploit he performed on John Deere equipment that involved operating system bugs.
According to the Wired article, after Sick.Codes made his 2021 research public, tractor companies, including John Deere, started fixing some of the flaws.
To see Sick.Codes' 2021 presentation on exploiting John Deere system vulnerabilities, see the video below.
6. Sick.Codes used the jailbreak to play a videogame on the display.
What did Sick.Codes do once he had root access to the displays? He decided to play the 1996 classic first-person shooter videogame DOOM. See a video below from Sick.Codes' twitter showcasing the game running on a Deere display. This version of DOOM appears to have been modified to take place on a farm, where the player appears to drive a combine through a field.