ABC Rural
Hacker Sick Codes says cybersecurity in agtech is no game after viral John Deere tractor hack
An Australian hacker has fired a warning shot at the security of computerised farm equipment after breaking into the controls of a John Deere tractor to install the video game DOOM.
His manipulation of the Linux-based display — showcased this month at one of the world's largest hacker conventions, DEF CON 30 in Las Vegas — has raised concerns about risks to the food supply chain and fired up debate about whether farmers should have the right to repair their own machinery.
Described as a "white hat" hacker, Sick Codes is a security researcher who breaks into systems to identify vulnerabilities and then alerts the business so they can fix the flaws.
He said his motivation for the project, which has since gone viral in gaming, farming and tech circles, was to show farmers it was possible to take control of their equipment, but also to encourage companies to make the security of these systems a priority.
"There are issues that need to be addressed … they're [John Deere] the leading cybersecurity ag company at the moment and I'm still hacking them," he said.
"I wonder what everyone else is doing. Some of the other companies, nobody's looked at them, I wonder what surprises are out there."
The explosion in ag tech meant a lot of companies were racing to develop new products, but Sick Codes said many were not actively investing in security.
"Threat actors know that agriculture is an under-secured industry, they know it's a ripe target for ransomware," he said.
"There's a bit of an arms race going on … you've got to bring security to the table early before things go wrong."
The DEF CON 30 display was the culmination of a year-long project.
"I was able to get the software off the John Deere tractor display and then modify it in a significant way," he said.
"I spent a couple of months pulling it apart and tinkering with it, tinkering not just with the hardware but then also with the software."
He installed a modified version of the vintage first-person shooter game DOOM on the tractor computer, a common method hackers used to demonstrate how deeply they have accessed a system.
"That means, pretty much, I am the boss of the system," he said.
"If you're able to install Doom and play the game on a device, that pretty much means that you've clocked it, you've won the device, there's nothing more to do."
In a statement, John Deere said its top priority was the protection of customers, their machines, and their data.
"The capabilities that Sick Codes demonstrated during his recent presentation at DEF CON were obtained through invasive/persistent physical access, disassembly of a hardware product, and reverse engineering of proprietary software," the statement read.
"At no point were a customer or dealer’s equipment, networks, or data at risk."
In addition to its in-house security team, the company said it worked with cybersecurity partners like HackerOne and the broader ethical hacking community on its security capabilities.
The DEF CON demonstration has also caught the attention of right-to-repair advocates like Kyle Wiens whose company iFixit publishes free repair manuals and guides for consumers.
He said companies often argued their technology was valuable intellectual property or too complex for self-repair, but the hack showed much of the John Deere code originated in free, open source communities.
Mr Wiens said the demonstration highlighted a broader issue with how the agricultural technology sector was developing.
"From a food security perspective, we have irresponsible companies making a lot of money, locking farmers out of being able to do repairs, but also really not putting the resources that they need into securing the infrastructure," he said.
"The work that Sick Codes has done really sets the groundwork, it lays the foundation for owners being able to take back control."
In a submission to last year's Productivity Commission Inquiry into the Right to Repair, the Australian arm of John Deere Limited (JDL) pointed to the '"environmental, safety and intellectual property" risks of unregulated access to software.
"This is a key reason that John Deere supports our customers' right to maintain and repair their equipment, but not the right to modify embedded code in equipment," the submission said.
"JDL rejects any allegation that owners of John Deere equipment are prevented or limited from performing repairs."
Professor of intellectual property (IP) law at Griffith University Leanne Wiseman hosted the second Australian Repair Summit held in Canberra in August.
Professor Wiseman said some companies like Apple and Samsung had shifted their approach to self-repair, but others were still using security or intellectual property concerns to keep consumers out.
"A lot of the repairs that are needing done, it might be the changing of a fuse, the replacement of a windscreen or the replacement of a bulb, those things wouldn't impact on the intellectual property of the manufacturers," she said.
"Some of the systems and the IP that's in these tractors is not as highly sophisticated as they're arguing, and they are vulnerable."
She hoped the new federal government would act on recommendations from the Productivity Commission report, including extending the mandatory data sharing scheme that required car manufacturers to make service information available to all repairers at a reasonable price to cover agricultural machinery.
In his keynote address to the summit, the federal Assistant Minister for Competition, Andrew Leigh, acknowledged the Productivity Commission report, which was tabled in December 2021 under the previous government.
"There are opportunities to further reduce barriers to repair for products in some markets, and the Australian government wants to pursue reforms that are evidence‑based and target sectors where it will be most beneficial," Dr Leigh said.
Sick Codes warned while it was possible for farmers to hack their equipment, there were risks.
"It does expose you to viruses and things like that if you do the wrong thing and there are websites out there and things that will attack you," he said.
"But for tractors … if you're smart enough, if you have enough time on your hands to teach yourself or get someone to teach you how to do some of the things that I demonstrated, then it's definitely possible."
We acknowledge Aboriginal and Torres Strait Islander peoples as the First Australians and Traditional Custodians of the lands where we live, learn, and work.
This service may include material from Agence France-Presse (AFP), APTN, Reuters, AAP, CNN and the BBC World Service which is copyright and cannot be reproduced.
AEST = Australian Eastern Standard Time which is 10 hours ahead of GMT (Greenwich Mean Time)