Even John Deere tractors aren't safe from jailbreaking and hacker attacks

Representational image of a cybercriminal
Image Credit: Pixabay (Image credit: Pixabay)

The electronics of John Deere tractors can be hacked, and what better way to demonstrate this than to have them run a corn-themed version of Doom on the display. 

An Australian hacker going by the name Sick Codes has shown off their work, which has motives dating back more than a year.

Last year, during DEF CON 29, Sick Codes said he wanted to explore vulnerabilities in agricultural equipment, as no one else was doing it at the time. While he did manage to force the company into fixing a few issues, the way John Deere approached the situation was to essentially block people from customizing their gear or fixing their own issues.


Sick Codes saw this as “anti-right-to-repair”, which didn’t sit well with him. 

So, this year, during the same conference - DEF CON 30 - he demonstrated what is essentially a jailbreak, showcasing how people could bypass John Deere’s blocks and still end up customizing and improving their gear. 

Sick Codes says he used a John Deere tractor 4240 touchscreen controller with an Arm-compatible NXP I.MX 6 system-on-chip, running Wind River Linux 8. Some devices were running Windows CE, as well. The project took a couple of months, and involved physically modifying the equipment, to have it run the code. If a person is capable of getting new software onto the endpoints, they’d be able to run it freely. 

"The main bug is that nothing's encrypted or checksummed properly or anything like that," the researcher explained, further stating that patching the weakness isn’t exactly simple. Instead, the company should build new devices with proper security baked in, he says. 

All the firmware's code runs as root, he concluded.

TechRadar Pro has sked John Deere for a comment and will if we hear back. 

Via: The Register

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.