Ep 32.

The Great Tractor Jailbreak

[MUSIC]

[ROOSTER CROWING]

DINA TEMPLE-RASTON: Could you just introduce yourself to us please?

JON ABBOTT: Uh, yes, ma'am. I'm Jon Abbott.

TEMPLE-RASTON:: And what do you do?

ABBOTT: Um…

[ROOSTER CROWING].

TEMPLE-RASTON: Jon is having trouble telling me about himself because of Jeffrey. That’s
the very un-podcast-friendly rooster who keeps interrupting him. Jeffrey the rooster and Jon
live on a farm in Milledgeville, Georgia, population seventeen thousand.

It’s about two hours southeast of Atlanta. And we visited them to talk about a farm staple:
the tractor.

ABBOTT: Growing up, I was used to riding on the older tractors that were just a straight
shift diesel engine tractor that really the only electrical wiring on it was from the battery to
the starter and headlights.

TEMPLE-RASTON: But that’s not how tractors are now.

ABBOTT: Now the tractors can basically control themselves. And you're just up there in case
something malfunctions.

TEMPLE-RASTON: Jon climbs into the cab of a John Deere 5075 E…

[SOUND OF GETTING IN TRACTOR]

ABBOTT: This is the newest tractor we’ve gotten…

1
TEMPLE-RASTON: He puts the key in ignition and starts it up…

[IGNITION]

ABBOTT: Start it up…And then once it’s cranked…

TEMPLE-RASTON: Once it’s cranked up and running, well, it’s more like a cellphone on
wheels than that tractor he grew up with. In fact, as soon as he’s aboard, Jon pulls out his
phone and fires up an app to see how the tractor is doing.

ABBOTT: I can actually go on my app and go to my live dashboard and it'll show me every —
everything the tractor's tell on the computer, the computer is telling my phone.

TEMPLE-RASTON: It’s telling him the outside temperature, that his coolant is working.

ABBOTT:…my fuel temperature, my fuel level, how much fuel I'm consuming, how fast I’m
going.

TEMPLE-RASTON: Which, on the one hand is kind of incredible — to have all the information
right there on your phone. But on the other hand, if all that is Bluetooth enabled and
constantly connected to the Internet, well, someone can break into it – it’s hack-able.

[TRACTOR SHUTTING DOWN SOUND]

TEMPLE-RASTON: And if some bad actor got into the network they all share, well…

[THEME MUSIC]

WALTER SCHWEITZER: If a hacker could come up with a system to shut all the combines
down during harvest, um, it would create a severe disruption.

[THEME MUSIC]

TEMPLE-RASTON: I’m Dina Temple-Raston and this is Click Here, a podcast about all things
cyber and intelligence. In the past year, the world’s food supply has been under attack:
Ransomware actors brought the world’s largest meat processor to a stand still; the war in
Ukraine has hobbled grain shipments.

2
And now there’s a new threat on the horizon: the ability to shut down farm equipment with
a few well placed pieces of code. Today, we look at the hack-ability of the most important
piece of farm equipment since the horse.

[TRACTOR SOUND]

TEMPLE-RASTON: The tractor isn’t Jon Abbott’s straight shift diesel engine anymore. It’s
gone super hi-tech, and that means a whole generation of farmers who proudly
MacGyvered repairs with duct tape and a wrench are now dealing with error messages and
computer code.

All these changes mean hackers have a fresh target: the world’s food supply

KIERSTEN TODT: We’ve always looked at food supply as being vulnerable and we’re seeing
now very tactical ways this sector could be exploited and compromised.

TEMPLE-RASTON: Stay with us.

[BREAK]

TEMPLE-RASTON: The master tractor hacker these days is a guy who comes from Australia.
His hacker name is Sick Codes.

SICK CODES: I'm Sick Codes. I'm a white hat hacker from Australia. I live in Asia and I hack
for a living.

TEMPLE-RASTON: Actually, he does more than that.

SICK CODES So, companies reach out to me, want me to hack their things. Or I reach out to
companies with things that I've hacked into. And, uh, that's what I've done in this case with
the John Deere stuff. It's kind of blown up a little bit bigger than expected.

TEMPLE-RASTON: Sick Codes is a penetration tester – someone who is hired by companies

to find vulnerabilities in their networks before bad actors do. And what has made him the
latest king of farming hacks is that he figured out how to bypass the digital locks on the

3
John Deere tractor — kind of like the iPhone jailbreaking that was so popular a few years
ago.

His hack would allow farmers to monkey with the tractor’s touchscreen console, something
that companies like John Deere have said they can’t do. Which means, technically, they
can’t go in and fix their own tractors when they break. Like they used to, before tractors got
so high-tech and complicated.

SICK CODES: So tractors are kind of like this thing that I've never been inside of (laughs). So
I've never actually been in a tractor. It just seemed really interesting to find a niche that
nobody was hacking that, uh, or hacking publicly.

TEMPLE-RASTON: So it became his pet project. And he started by buying a John Deere
tractor touch screen.

SICK CODES: Yeah. I bought one, yeah. On ebay.

TEMPLE-RASTON: He paid 7,000 dollars for that console display — without the tractor. Not
easy to find, apparently. And then he just cracked it open and restored the factory settings.

SICK CODES: I can reset a tractor and I did bypass that with a guy, a guy's help from Brazil.

TEMPLE-RASTON: So this guy in Brazil gives him John Deere’s official software. He
downloads what he needs to break into the system, and to prove that he could now install
whatever he wanted…

[DOOM THEME MUSIC]

TEMPLE-RASTON: He uploaded a slightly modified first person shooter game from the
1990s, called Doom. .

[DOOM MUSIC]

TEMPLE-RASTON: Instead of a shooter, there was a farmer.

Instead of a gun, a farmer was riding a tractor.

4
And he unveiled his hack at a place where he was sure he’d get lots of attention: this year’s
DefCon hacking conference in Vegas. And while he didn’t reveal every detail of what he did,
he made clear that anyone who really wanted to, could get into the John Deere tractor
software.

SICK CODES So it did take me a while to break in. I could do it now in about an hour, but
yeah, it was a sophisticated attack as John Deere said, and it was also persistent and
invasive, but it was hardware and it was physically involved. So it's not remote.

TEMPLE-RASTON: Not remote: in other words, he hacked into just one tractor. But still, he
was make a point — to both farmers and to Deere and Co.

SICK CODES: This stuff isn't as secure as it looks. And John Deere may not be as secure as
they sound.

TEMPLE-RASTON: The fact that someone could hack into that system with such ease
suggested that anyone could. And this isn’t just a John Deere – the biggest farm equipment
manufacturer on the planet. His hack suggests that any piece of farm equipment that is
hooked up to the Internet is vulnerable.

His performance ended up being the big headline out of DEF CON. .

SICK CODES: I just thought that it would be interesting to people, but I didn't realize it was
gonna be so interesting to so many people, because I thought it was just, you know,
agriculture and cyber security, but it turned out to be gaming news. It turned out to be
national security news. It turned out to be gadget news.

TEMPLE-RASTON: Needless to say John Deere wasn’t really a fan of Sick Codes’ DEF CON
performance. They’ve been quick to say that Sick Codes did a hardware hack. He’d
disconnected the console from the tractor itself — and he had loads of time.

Anyway, suffice to say, his relationship with John Deere, well, he says it’s testy.

SICK CODES: It's not the most….we need marriage counseling. Honestly, we need marriage
counseling.

TEMPLE-RASTON: John Deere declined to comment about their relationship. So, maybe it’s
not surprising that John Deere doesn’t want him to come to their factory.

5
SICK CODES: I've actually asked for an invite too, which is kind of weird, but they still don't
want to invite me.

TEMPLE-RASTON: Maybe the marriage counseling will help.

[MUSIC]

TEMPLE-RASTON: When we come back, how Sick Codes’ Doom hack gave new life to the
effort to repair your own tractor, and the doomsday agriculture hack farmers and
government officials alike are bracing for.

Stay with us.

[MUSIC]

[BREAK]

[MUSIC]

TEMPLE-RASTON: So John Deere has this rule: Farmers aren’t allowed to do their own
repairs on their newish high-tech equipment, which means they can’t just pick up a wrench
anymore. They have to have a company technician come in and do it.

The techs arrive with these special laptops, they plug it into the tractor, the software
diagnoses the problem, then they order the part. You’ve probably seen your mechanic do
that to your car. But here’s the difference: if you have to bring your car into the shop, leave
it there, get a loaner – it’s an inconvenience. If you’re a farmer, whose margins are thin even
at the best of times, waiting for a John Deere guy to show up during that small window of
harvest time — that can ruin your business for the year.

Consider what happened to Walter Schweitzer a couple of years ago. He raises black Angus
cattle outside of Great Falls, Montana, and out of the blue his tractor started just randomly
shutting down.

6
WALTER SCHWEITZER: I had a gut feeling that it was something in the fuel system. I
changed fuel filters. I started running the tank at above half full. But it just kept getting
worse and worse.

TEMPLE-RASTON: He finally calls John Deere and…

SCHWEITZER: …asked if they could send out a tech to work on my tractor. They said, Well,
you know, we're slammed, it's haying season, everybody's out, broke down.

TEMPLE-RASTON: They said they wouldn’t be able to come out for a week or ten days.

SCHWEITZER So I said, okay, well maybe I can, uh, can I borrow your computer and
hardware stuff so I can figure out my problem?

TEMPLE-RASTON: He could call their dealer and order the part, and Bob’s your uncle. John
Deere says, no can do.

SCHWEITZER: All right. Well, can I rent it?

TEMPLE-RASTON: Nope.

SCHWEITZER: Okay. Well, dang it I'll buy the dang stuff. How much is it? And they said, No,
we don't sell it.

TEMPLE-RASTON: You’ve got to call a technician. Doesn’t matter if it is haying season,

doesn’t matter if there is a wait. That’s the right-to-repair debate in a nutshell, and it is
based on every farmers’ fundamental belief in self-sufficiency. So it wasn’t a surprise when
they did what they do best: take matters into their own hands.

KYLE WIENS: So I live in a little bit of a rural area and a friend of mine is a farmer. Farmer
Dave.

Kyle Wiens is the founder of iFixit. He’s part of a do-it-yourself community that teaches
people to fix what they own.

WIENS: He called me, he knew I was a computer guy. And he said, Hey, my tractor won't
turn on. I said, what do you mean it won't turn on? He said, well, there's a hydraulic sensor

7
on the tractor tread. And the sensor is bad and the tractor won't boot because it's a bad
sensor.

TEMPLE-RASTON: So nothing is actually wrong with the tractor. There’s just a bad sensor.
This happens with the onboard computers all the time. It has probably happened to you.
It’s a thing. So Dave the farmer asks Kyle the computer guy if he can figure out a way to just
get the computer to ignore the sensor, so the tractor would get going again.

But there was a problem — and it wasn’t technical, it was legal. If he did a workaround, it
would be against the law.

WIENS: A section of Digital Millennium copyright act called Section 1201, which is a law that
is designed to prevent tinkering. It says that you cannot bypass a lock on an electronic
device without permission from the manufacturer.

TEMPLE-RASTON: And Deere and Co. wasn’t giving permission. So, back in 2017 a bunch of
American farmers started buying pirated versions of John Deere’s software in
members-only online forums. Hackers from Ukraine had created a fix — a kind of firmware
that allowed farmers to give basic instructions to the tractor and its software. It allowed
them to do what they’d always done: fix their farm equipment themselves.

It drove John Deere so crazy, farmers told us they had to sign a contract, ensuring that they
wouldn’t hack into their own tractors. Which only made farmers angrier.

WIENS: why do you think farmers are so stupid? Why can't farmers, uh, use the same
tooling that the dealers have?

[MUSIC]

TEMPLE-RASTON: So it’s fair to ask another question: Why is John Deere being so stubborn
about this? Why make their customer base so darn mad? John Deere has said publicly that,
first of all, the software is intellectual property. So it belongs to them.

Second, they’re worried farmers will tweak the software — for example, they might adjust
the engine to get better gas mileage, but that could also increase emissions. And John
Deere says it worries that it might add to climate change.

8
Walter Schweitzer says the answer is simpler than that: it is about how much they can
charge for a tractor.

SCHWEITZER: On most newer models, the frame, the transmission, the engine, uh, all of
the, of the critical pieces of that implement are the same. It's just the computer
programming that makes the difference between a 120 horsepower tractor and 160
horsepower tractor.

TEMPLE-RASTON: And, no big surprise here: a 160 horsepower tractor costs more.

SCHWEITZER: And you'll end up paying 20, 30% more for a bigger tractor that all they did is
change the programming.

TEMPLE-RASTON: They toggle something in the software and they’ve got a more expensive,
more powerful tractor. We asked John Deere about that, and they declined to comment.

Another thing they wouldn’t address is this crazy thing that happened in May on the fringes
of the war in Ukraine. I asked Walter about it.

WALTER: Oh yeah, that's creepy.

TEMPLE-RASTON: What creeped him out was this: These Russian Federation troops raided a
John Deere dealership in Ukraine and drove a bunch of tractors back to Chechnya. You can
imagine the scene. They are feeling pretty good about all their new equipment and when
they go to start the tractors up again, nothing. They won’t even turn over.

They’d been shut down, bricked. Remotely.

WALTER: What went through my head is now the world will see what John Deere can do.

TEMPLE-RASTON: John Deere didn’t deny it happened, but wouldn’t confirm they were
behind it either. And CNN, which had the original story, said their source was an unnamed
businessman in Ukraine.

So, that leaves just two alternatives: John Deere disabled the machines remotely, or some
random hackers did. Either way, it’s troubling.

9
WALTER SCHWEIZER: The fact that they can, can make your $500,000 piece of equipment,
nothing more than a paperweight by pushing a button, that's disconcerting.

TEMPLE-RASTON: So here’s the doomsday scenario: It’s harvest time, farmers are out in the
field bringing in crops, haying. And a bad actor has been sitting in John Deere’s networks for
months, waiting for harvest time, working their way into the system, burrowing into the
communications software that speaks to John Deere tractors.

And no one has noticed. Until…the hackers activate some malware.

[REVVING TRACTOR]

TEMPLE-RASTON: And it sends a little command that tells all the engines connected to the
network to start revving.

[LOUDER REVVING]

TEMPLE-RASTON: RPMs go up. They keep climbing…until the engines actually die.

[TRACTOR STOPPING]

TEMPLE-RASTON: It’s not far-fetched. Kiersten Todt is the chief of staff at the cyber security
and infrastructure security agency or CISA. And she says these are the kinds of scenarios
they are thinking about all the time.

KIERSTEN TODT: We look at the interdependencies of, you know, the internet of things and
quite frankly, the interdependencies of the digital economy. What is critical and what is not?
Those lines have become more and more blurred.

TEMPLE-RASTON: And she says there is a good case to be made that tractors should be
seen as part of the nation’s critical infrastructure and protected that way.

TODT: The fact that we are now connecting tractors to the internet, that we're seeing an
increase in more smart technologies in the agriculture sector means that we've gotta be
thinking differently.

10
TEMPLE-RASTON: And by that she means viewing an attack on agricultural targets through
the same sort of lens we might see, for example, an attack on a hospital. In both cases, lives
could be at stake.

[OUTSIDE AMBI SOUNDS]

Walter, in Montana, has dealt with drought, trade wars, a pandemic, skyrocketing prices.
And all these hassles about repairing his own tractor. Against that kind of list, he says he
can’t dwell on people with keyboards trying to turn off his equipment.

SCHWEITZER: If I lost a lot of sleep worried about hackers, then they would be winning and I
don't like to let them win.

TEMPLE-RASTON: Even the farmer we met at the beginning of the episode, Jon Abbott, says
he’s looking at all these technologies in a new way.

He sees how vulnerable everything can be: the combine, the grain bins, sprinklers that keep
your crops fed and healthy.

ABBOTT: I mean, honestly, if you hacked our water sprinklers and turned our sprinklers on.
That, you know, you could ruin everything that we've got or you make it die by keeping 'em
off.

[MUSIC]

TEMPLE-RASTON: For once, Jeffrey the rooster, has no comment.

[MUSIC]

This is Click Here.

B-SEGMENT

[B SEG THEME MUSIC]

11
TEMPLE-RASTON: Over Labor Day Weekend, the Los Angeles Unified School District was hit
with a ransomware attack. It’s the second largest school district in the country, and just the
latest in a tsunami of hacks focused on educational institutions. Kendra Hanna has more.

[MUSIC]

KENDRA HANNA: On Tuesday, September 6th, Alberto Carvalho, the superintendent for the
Los Angeles Unified School District, or LAUSD, held a press conference in an echoey middle
school gym.

The big news, at first, seemed like it wasn’t news at all: he announced that the district
expected a pretty normal day of classes.

ALBERTO CARVALHO: Our food service program would be active…

HANNA: Just three days earlier, on Labor Day weekend, the district had discovered hackers
in their networks. But here the superintendent seemed to be saying, we’ve done what we
needed to do. We’ve got mitigation in place. The FBI and Cybersecurity and Infrastructure
Security Agency, or CISA, have been called in.

CARVALHO: We were able to stop the propagation of this event. That was the right call at
the right moment.

HANNA: And speaking of timing…

MIKE HAMILTON: Number one, it was a holiday, so we know that nobody's watching the
farm. Number two is, school's about to start. It’s condition red. Got to get things back the
fastest way possible. So, it's the leverage.

HANNA: This is Mike Hamilton, he’s the former Chief Information Security Officer for the city
of Seattle, and the founder of Critical Insight, a cyber security company that works with a lot
of schools.

Mike says hackers may have wanted student records which they might be able to sell.

HAMILTON: If records were lost — especially because this is California — there's going to be
hell to pay.

12
HANNA: The California Consumer Privacy Act is the strongest privacy legislation in the
country. It lets consumers sue organizations if they were negligent and didn’t protect
personal and private data. If there’s evidence that the school district didn’t do all it could to
safeguard student information, they could be sued.

HAMILTON: I know that there are attorneys now that are watching for these things to
happen so that they can put together the class.

HANNA: LAUSD says they’re working towards bringing their network back up, but haven’t
given a timeline for when they think things will be back to normal. Schools in general aren’t
really equipped to deal with cyber security issues. But even though they’re not great at
handling it, ransomware attacks on schools have become common.

There’s been over a hundred just this year. The FBI and CISA even said a ransomware group
called “ViceSociety” has been specifically targeting the education sector. They’re thought to
be a Russian speaking gang.

[WATERFALL OF NEWSCASTERS]

HANNA: The FBI also warned that they expect these kinds of attacks to increase even more.
Mike Hamilton again.

HAMILTON: The incidence rate goes up, as the target is viewed as viable.

HANNA: Maybe earlier attacks basically showed that this is a pretty easy way to make
money.

HAMILTON: It's not generally because the schools are doing anything different than they
ever did. Now they've been targeted as a source of revenue for these gangs, and they're low
hanging fruit.

[MUSIC]

HANNA: And they’ll continue to be low hanging fruit, as long as schools don’t have the tools
to prevent these kinds of attacks.

For Click Here, I’m Kendra Hanna.

13
[MUSIC]

HEADLINES

[HEADLINE MUSIC]

TEMPLE-RASTON: Hackers tied to the Iranian government launched an attack against

government networks in Albania over the weekend, marking the second time in three
months Iranian hackers have targeted the country’s networks.

The latest hack was leveled against the system Albania uses to track border crossings, and
came just a few days after the Albanian government cut diplomatic relations with Iran over
a July 15 breach. The U.S. government on Friday sanctioned Iran’s Ministry of Intelligence
and a top official in response to the earlier attack.

In a statement last week, Undersecretary of the Treasury for Terrorism and Financial
Intelligence Brian Nelson said the attacks “disregard norms of responsible peacetime State
behavior, which includes a norm on refraining from damaging critical infrastructure that
provides services to the public.”

—-

Cybersecurity researchers have uncovered another Iranian state-sponsored hacking group

that has been targeting government officials, journalists, academics, and opposition leaders
around the world for the past seven years.

According to research published Wednesday by the cybersecurity firm Mandiant, APT42, a

group linked to Iran’s intelligence services have carried out at least 30 cyber operations
since 2015. The size of the group is unclear, but Mandiant says APT42 is clearly “well
resourced.”

And finally, law enforcement agencies have clawed back some $30 million in cryptocurrency
from the North Korean hacking group Lazarus. The monies were part of the $600 million
the group stole from the Ronin Network in March – one of the largest decentralized finance
heists ever. The Ronin Network does bridge financing for Axie Infinity, a play-to-earn

14
blockchain game that is massively popular across the Philippines, Vietnam and several
other Asian countries. It allows players to convert Bitcoin and Ethereum cryptocurrencies.

On Thursday, Chainalysis senior director of investigations Erin Plante said she joined
developers behind the game at a conference to announce that tens of millions of dollars
had been seized from the North Korean hackers with the help of law enforcement and
leading organizations in the cryptocurrency industry.

15