At the DefCon security conference in Las Vegas on Saturday, a hacker named Sick Codes jailbreak John Deere & Co tractors. This enabled him take control of multiple models through their touchscreens.
Sick Codes findings therefore highlights the security implications of right-to-repair. The right to repair is a proposed government legislation that would allow consumers to repair and modify their own consumer product. The legislation therefore eliminates the requirement that consumers only need to use the services they provide by restricting access to tools and components.
To develop his jailbreak, Sick Codes used numerous generations of John Deere tractor control touchscreen consoles. Models used for this exploit are “2630” and “4240.”
Sick Codes has been experimenting for many months with a number of touchscreen circuit boards to find bypasses for John Deere dealers’ authentication requirements.
The hacker was able to perform a reboot check to restore the device as if it were being retrieved from a certified vendor. He explained that once in such an environment, the system would provide protocols worth more than 1.5 GB to help authorized service providers diagnose problems.
The logs also revealed the path to another potential timing attack that could grant deeper access. Soldering controls directly to the PCB eventually allowed the hacker to bypass the system’s protective mechanisms.
While the approach requires physical access to the PCB, Sick Codes explains that a tool based on the vulnerabilities could be more easily used to execute the jailbreak.
The sources for this piece include an article in Archive.today.