Hacker Sick Codes says cyber security in agtech is no game after viral John Deere tractor hack

An Australian hacker has fired a warning shot at the security of computerized farm equipment after breaking into the controls of a John Deere tractor to install the video game DOOM.

His manipulation of the Linux-based display – showcased this month at one of the world’s biggest hacker conventions, DEF CON 30 in Las Vegas – has raised concerns about risks to the food supply chain and sparked debate over whether farmers should be allowed to repair their own machines.

Described as a “white hat” hacker, Sick Codes is a security researcher who breaks into systems to identify vulnerabilities and then alerts the business so they can fix the bugs.

He said his motivation for the project, which has since gone viral in gaming, farming and tech circles, was to show farmers that it was possible to take control of their equipment, but also to encourage companies to prioritize the security of these systems.

“There are issues that need to be addressed … they are [John Deere] the leading cyber security company at the moment and I’m still hacking them,” he said.

“I wonder what everyone else is doing. Some of the other companies, nobody’s looked at them, I wonder what surprises are out there.”

The explosion in ag technology meant many companies were scrambling to develop new products, but Sick Codes said many weren’t actively investing in security.

“Threat actors know agriculture is an undersecured industry, they know it’s a ripe target for ransomware,” he said.

Cyber ​​security not a game

The DEF CON 30 display was the culmination of a year-long project.

“I was able to remove the software from the John Deere tractor display and then change it in a significant way,” he said.

“I spent a couple of months pulling it apart and tinkering with it, not only with the hardware but also with the software.”

He installed a modified version of the vintage first-person shooter DOOM on the tractor computer, a common method used by hackers to demonstrate how deeply they have access to a system.

“It pretty much means I’m the boss of the system,” he said.

In a statement, John Deere said its top priority was protecting customers, their machines and their data.

“The capabilities that Sick Codes demonstrated during its recent presentation at DEF CON were achieved through invasive/persistent physical access, disassembly of a hardware product, and reverse engineering of proprietary software,” the statement said.

In addition to its internal security team, the company said it was working with cybersecurity partners such as HackerOne and the broader ethical hacking community on the security features.

The manufacturers’ claims fall flat

The DEF CON demonstration has also caught the attention of right-to-repair advocates like Kyle Wiens, whose company iFixit publishes free repair manuals and guides for consumers.

He said companies often argued that their technology was valuable intellectual property or too complex for self-repair, but the hack showed that much of the John Deere code originated in the free, open-source community.

Wiens said the demonstration highlighted a wider problem with how the agricultural technology sector was developing.

“From a food safety perspective, we have irresponsible companies that are making a lot of money, locking out farmers from being able to make repairs, but also not spending the resources they need to secure the infrastructure,” he said.

In a submission to last year’s Productivity Commission inquiry into the right to repair, the Australian arm of John Deere Limited (JDL) pointed to “environmental, safety and intellectual property risks” from unregulated access to software.

“This is a key reason why John Deere supports our customers’ right to maintain and repair their equipment, but not the right to modify embedded code in equipment,” the submission said.

“JDL rejects any claim that owners of John Deere equipment are prevented or restricted from performing repairs.”

Calls for the extension of the right to repair

Griffith University Professor of Intellectual Property Rights (IP) Leanne Wiseman hosted the second Australian Repair Meeting held in Canberra in August.

Professor Wiseman said some companies such as Apple and Samsung had changed their approach to self-repair, but others still used security or intellectual property rights to keep consumers out.

“A lot of the repairs that need to be done, it could be changing a fuse, changing a windshield or changing a light bulb, those things will not affect the manufacturers’ intellectual property,” she said.

She hoped the new federal government would act on the recommendations of the Productivity Commission report, including extending the mandatory data-sharing scheme that required car manufacturers to make service information available to all repairers at a reasonable cost to cover agricultural machinery.

In his keynote address to the summit, the federal Assistant Minister for Competition, Andrew Leigh, acknowledged the Productivity Commission’s report, which was tabled in December 2021 under the previous government.

“There are opportunities to further reduce barriers to repair for products in some markets, and the Australian Government wants to pursue reforms that are evidence-based and target sectors where it would be most beneficial,” Dr Leigh said.

Hacked tractors are risky, says hacker

Sick Codes warned while it was possible for farmers to hack their equipment, there were risks.

“It exposes you to viruses and things like that if you make mistakes and there are websites out there and things that will attack you,” he said.

“But for tractors … if you’re smart enough, if you have enough time to teach yourself or have someone teach you how to do some of the things I demonstrated, then it’s definitely possible.”