As John Deere digitizes, some experts worry about cyber risks
If you can jailbreak a phone, you can jailbreak a tractor. And if you can jailbreak a John Deere tractor, you can play Loss on its touch screen.
At DefCon in August, Australian hacker Sick Codes demonstrated how to do just that on John Deere’s 2630 and 4240 tractor models.
Although playing a video game on a tractor’s computer system might seem like a stunt, the demonstration raised important questions about John Deere‘s cybersecurity practices – questions made all the more urgent by its ongoing efforts to pivot its business model to software and digital subscriptions.
The company unveiled an autonomous tractor at CES earlier this year and is investing billions of dollars to make agricultural equipment connected to the Internet and partially automated, capable of making decisions based on the analysis of data sets based on the clouds managed by the John Deere Operations Center. By 2030, CEO John May expects 10% of the company’s annual revenue to come from software subscription fees.
“It’s a fairly insecure technology. This might be okay if the tractor wasn’t connected to the internet,” Kyle Wiens, co-founder and CEO of iFixit and right-to-repair advocate, told us. “The national security problem we have here is that John Deere owns most of the market, and they have decided, in their infinite wisdom, to connect most of the agricultural machinery in our country to the Internet.”
Last month’s presentation wasn’t the first time Sick Codes had bypassed the agricultural giant’s security. Last year, he hacked into the company’s mainframe, prompting the Department of Homeland Security to get involved, he told Emerging Tech Brew.
In response to questions, John Deere spokeswoman Jen Hartmann pointed us to previous statements about cybersecurity.
Going from a tractor company to “a data collection conglomerate, whatever,” is a steep learning curve, Sick Codes said, and in its view, John Deere has made a few missteps.
“They have a responsibility to take care of the entire food chain,” he said. “They have insane responsibilities and they are also listed on the stock exchange. And they just don’t cut their weight.
Earlier this year, the FBI warned that farmers and other agricultural businesses could be attractive targets for ransomware attacks.
If a bad actor “wanted to take over American agriculture, all you would have to do was run those tractors to the redline and burn out their engines. You wouldn’t even have to drive them” , said Wiens.
Companies often have bug bounty programs that reward external security researchers and hackers for finding security issues in their products. John Deere established one last year, but the success of the program remains uncertain, according to Wiens. John Deere declined to specify how many bug bounty it has handled under its responsible disclosure program.
Write the pros: Don’t entrust your cybersecurity to amateurs. The NFL called on Cisco to defend its network operations before, during and after the Super Bowl LVI game. They are working on a repeatable and portable security platform for future NFL events. Find out how the NFL builds its defense off the field when you click here.
Automakers are also facing new cybersecurity challenges, but the standards that are gaining acceptance in the electric vehicle industry, for example, are not yet well understood or regulated for other autonomous and connected machines. , said David Chaddock, director of cybersecurity at consultancy West Monroe. we.
“When you talk about all the gear, it’s almost on a spectrum more towards the Wild West,” he said. “Autonomous vehicles, which may or may not be electric, that kind of stuff, there’s currently no real federal ‘you must’ regulations.”
The industry also faces the potential challenge of hiring software developers or cybersecurity experts at legacy companies that may not be perceived as high-tech, Chaddock said.
“Right now, at every level, you have a talent shortage. When it comes to cybersecurity, it’s amplified even more,” Chaddock told us.
Hartmann told us in an emailed statement that the company has opened two “tech hubs” in Austin, TX and Chicago, as well as working with “several universities” to help attract new tech talent.
Beyond safety concerns, Deere’s digitization has put new pressure on a pre-existing problem: long-standing frustration that the company has limited farmers’ ability to repair their own equipment.
Hartmann said via email that in May the company made its diagnostic service tool available to customers and independent repair shops, and that in 2023 it plans to introduce an “enhanced customer solution which includes a mobile device interface and the ability to directly download secure software updates”. integrated controllers on certain John Deere equipment with 4G connections.”
The diagnostic software starts at $1,200 and is a limited version of what Deere technicians themselves have.
“John Deere has diagnostic software on the laptops that their technicians have that they won’t provide to farmers,” Wiens said. “So the tractor’s computer will see, ‘Hey, this sensor’s reading is out of calibration.’ And the tractor just won’t start.
Wiens compared the tractor to an iPhone before the App Store, because John Deere only allows its own software to run on its machines.
“If you could, imagine you could create your own version of this diagnostic software tool, run it on the tractor, and you’d be good to go. But the tractor is locked. Thus, being able to install and run Loss– it’s a stupid example, but it shows that we can run arbitrary code on this thing,” he said.