A new “jailbreak” targeting John Deere tractors has farmers and security experts pondering the merits of open access to the machine’s computer brain, versus the need to keep the farm vehicle secure.
Right-to-repair has become a battle cry for consumer advocates who want greater access to the inner workings of devices they buy, like phones and computers – and tractors, too. These days, the tractors that till the fields are computer-driven, and companies like John Deere keep a tight lid on access to what’s behind the touch screens used to control them.
Now, a security researcher’s hack for Deere tractors is drawing attention to a conflict between the right-to-repair ideal, and the need to maintain security for machines that are integral to food production. Lily Hay Newman, a senior writer at Wired who has written about the new jailbreak, shared what this means for tractor owners. Listen to the interview above or read the transcript below.
This transcript has been edited lightly for clarity:
Texas Standard: I think a lot of us envision tractors as almost anvil-like when it comes to their simplicity. But clearly that’s not the case. And farmers want access to the tools that it takes to fix them, right?
Lily Hay Newman: Right. Similar to cars, it used to be that tractors were totally repairable by whoever owned them and that the owner owned every part of the vehicle. But now the nerve center is a computer, and that software can be owned and controlled by another entity, even though you paid all this money to own the tractor.
I think a lot of people would think that if you buy a tractor, you get to fix it when it breaks.
Right. But that’s really not the case, partly because of transitioning to things like subscription models where software controls whether or not you have access to certain features. And partly because John Deere and other companies want to be able to control where you get your tractor repaired and force people to bring the devices, the vehicles to authorized repair places or send a repair person out. But obviously that can be prohibitive depending on your location.
I think a lot of people would see this as a money grab, pure and simple. But the company, as I understand it, is claiming this is a security matter. How so?
This is important from a right-to-repair perspective, but also an important thing to be raising to the company and to other vehicle manufacturers from a security perspective. Because when you close these vulnerabilities and you fix the flaws, farmers or other owners can’t jailbreak or unlock the device. But you are making the device more secure so a hacker can’t get in there and do something nefarious. So, from an owner’s perspective, there’s good and bad to each. But I think both are important points to be making to manufacturers.
What’s the point in hacking a tractor unless you’re actually using the tractor for agricultural purposes? I think of hackers as installing malicious software and trying to get money from people or perhaps trying to extract data. Is hacker really the right term here?
Totally. What about ransomware attacks on a giant agriculture conglomerate?
Is that a serious concern?
It could be, yeah.
Tell us about the hack in question. Who came up with it, and is it on behalf of tractor owners, or what?
So this is an independent researcher who goes by the hacker name Sick Codes. Hacker names are actually very common in the information security research community, and he has found other security vulnerabilities in John Deere infrastructure and that of other tractor makers. And in the past he’s really been focused on raising awareness about security flaws and the need to fix these security holes and digital holes. But this time, I think he’s really more focused on the right-to-repair issue and wanted to show farmers that he is also on the side of them having control of their vehicles.
So what exactly does this hacker Sick Codes do to the tractor? Does he immobilize it or what?
He’s able to override some of the digital locks on the device that keep you from accessing certain features or certain controls and kind of gives what’s called root access. So the user becomes the most elevated administrator of the device.
I would imagine John Deere is none too happy about this. Have they responded?
They did not return my requests for comment.
Where does this seem to be headed, from what you can tell?
Well, the right-to-repair movement in general has really turned the corner and has started to gain momentum. The White House has done an executive order. And so this may fit into the broader moment, from what I’ve seen and the feedback I’ve gotten on my story. A lot of farmers are really celebrating this, but certainly awaiting some comment and reply from John Deere.