John Deere jailbreak shows it's all "built on outdated, unpatched" hardware

John Deere uses DRM to prevent its own customers from repairing their own vehicles, pushing them to use the company's own overpriced service options. A new jailbreak for the systems announced this weekend at DEFCON by Sick Codes restores a measure of ownership to the owners. Moreover, it shows that John Deere's implementation is as cheap and janky as it gets, built with Windows CE (!) and unpatched, out of date hardware.

The finding underscores the security implications of the right-to-repair movement. The tractor exploitation that Sick Codes uncovered isn't a remote attack, but the vulnerabilities involved represent fundamental insecurities in the devices that could be exploited by malicious actors or potentially chained with other vulnerabilities. Securing the agriculture industry and food supply chain is crucial, as incidents like the 2021 JBS Meat ransomware attack have shown. At the same time, though, vulnerabilities like the ones that Sick Codes found help farmers do what they need to do with their own equipment.

Under pressure from the right-to-repair movement, John Deere has already announced plans to open up some of its software to owners of equipment.

Even with an improved attitude, John Deere is in a difficult place. It doesn't seem particularly familiar with its own hardware, let alone the software running on it. Having invested in the shareholder-pleasing notion of total control and having had it designed into their systems the cheapest and crudest way they could find, it seems they're now stuck with the costs of learning exactly what they bought into.