About those kill-switched Ukrainian tractors

https://doctorow.medium.com/about-those-kill-switched-ukrainian-tractors-bc93f471b9c8

What John Deere did to Russian looters, anyone can do to farmers, anywhere.

Cryteria/CC BY 3.0, modified

Here’s a delicious story: CNN reports that Russian looters, collaborating with the Russian military, stole 27 pieces of John Deere farm equipment from a dealership in Melitopol, Ukraine, collectively valued at $5,000,000. The equipment was shipped to Chechnya, but it will avail the thieves naught, because the John Deere dealership reached out over the internet and bricked these tractors, using an in-built kill-switch.

Since that story ran last week, I’ve lost track of the number of people who sent it to me. I can see why: it’s a perfect cyberpunk nugget: stolen tractors rendered inert by an over-the-air update, thwarting the bad guys. It could be the climax of a prescient novella in Asimov’s circa 1996.

But I’m here to tell you: this is not a feel-good story.

I mean, sure. In the short term, it’s really cool to think of those looters arriving in Chechnya only to discover that their looted tractors and combines and such are only good for spare parts (and maybe not even that).

But if you scratch the surface of that cinematic comeuppance, what you find is a far scarier parable about the way that cyberwarfare could extrude itself into the physical world. After all, if John Deere’s authorized technicians can reach out and brick any tractor or combine, anywhere in the world, then anyone who suborns, hacks or blackmails a John Deere technician — say, Russia’s storied hacker army, who specialize in mass-scale infrastructure attacks, which they perfect by attacking Ukrainian embedded systems — can do the exact same thing.

Why are John Deere tractors kill-switched in the first place?

Here’s a hint: the technology was not invented to thwart Russian looters.

No, it was invented to thwart American farmers.

For most of John Deere’s history, it partnered with farmers on its technological development. I mean that literally: John Deere used to send engineers on the road to visit farms and learn how farmers had adapted their equipment, and then it would integrate those improvements into new models of its tractors.

Farmers have been making, fixing and adapting their technology for millennia (literally)— farms have workshops and forges because when you’re at the end of a lonely country road and the storm is coming and you need to bring the crops in, you can’t go into town (or call the Deere dealership) to get a key piece of equipment repaired.

But as John Deere went from just one of many ag-tech companies to a monopolist, its relationship to farmers was transformed. Deere perceived many opportunities to extract new sources of revenue farmers.

For example, they fitted out their tractors with clusters of new sensors: torque sensors on the wheels that measured soil density, humidity sensors on the undercarriages that measured soil moisture, and location sensors on the roof that plotted density and moisture on a centimeter-accurate grid.

This information is very useful! Farmers can use it to practice “precision agriculture,” broadcasting their seed according to these maps to maximize yield.

But Deere farmers can’t get that data — at least, not on its own. Deere bundled that data with an app that comes with seed from Monsanto (now Bayer), its preferred seed vendor. The farmers generated the data by plowing their fields with their tractors, but Deere took the position that the farmers weren’t the owners of that data —Deere was.

Deere bundled the data with the farmer and sold both to Monsanto. The next time someone tells you “If you’re not paying for the product, you’re the product,” remember this. These farmers weren’t getting free, ad-supported tractors. Deere charges six figures for a tractor. But the farmers were still the product. The thing that determines whether you’re the product isn’t whether you’re paying for the product: it’s whether market power and regulatory forbearance allow the company to get away with selling you.

But selling farmers their own soil telemetry is only the beginning. Deere aggregates all the soil data from all the farms, all around the world, and sells it to private equity firms making bets in the futures market. That’s far more lucrative than the returns from selling farmers to Monsanto. The real money is using farmers’ aggregated data to inform the bets that financiers make against the farmers.

If you’ve heard anything about the technical restrictions in a Deere tractor, chances are that it wasn’t about this data theft — more likely, you’ve heard about Deere’s Right to Repair shenanigans.

Deere is one of many companies that practice “VIN-locking,” a practice that comes from the automotive industry (“VIN” stands for “vehicle identification number,” the unique serial number that every automotive manufacturer stamps onto the engine block and, these days, encodes in the car’s onboard computers).

VIN locks began in car-engines. Auto manufacturers started to put cheap microcontrollers into engine components and subcomponents. A mechanic could swap in a new part, but the engine wouldn’t recognize it — and the car wouldn’t drive — until an authorized technician entered an unlock code into a special tool connect to the car’s internal network.

Big Car sold this as a safety measure, to prevent unscrupulous mechanics from installing inferior refurbished or third-party parts in unsuspecting drivers’ cars. But the real goal was eliminating the independent car sector, and the third-party parts industry, allowing car manufacturers to monopolize the repair and parts revenues, charging whatever the traffic would bear (literally).

And, as with Deere, Big Car also wanted to be able to gather data on drivers and sell it to third parties. Your car gathers a shocking amount of data about you, which you don’t get to see, and the manufacturer sells that to third parties, who use it in ways that are counter to your interests.

The auto manufacturers freely admit that the data your car gathers about you could bring you to grave harm — indeed, when Massachusetts voters put an automotive Right to Repair initiative on the 2020 ballot, Big Car ran scare ads warning that allowing third party access to your car’s trove of data would literally lead to you being murdered.

Of course, according to the auto cartel, the correct way to address this risk is to preserve their repair monopolies — as opposed to redesigning cars so they don’t spy on you. And, of course, one of the services a third-party repair ecosystem could offer drivers is the option to turn off all that surveillance.

VIN-locking metastasized out of the automotive sector and took root in every part of our lives. Apple would love to VIN-lock its phone screens, and they’ve done so several times, but had to back down after customers and independent cracked-screen repair places raised hell. After the FTC and the Biden Administration threatened to directly regulate Apple to force it to facilitate repair, the company created an official home repair program, albeit a very limited one.

Other sectors have been more successful in rolling out VIN locking. One company that led the way here is Medtronic, the world’s largest med-tech company (and, thanks to an Irish reverse-merger, one of the world’s least-taxed med-tech companies).

For more than 20 years, Medtronic’s PB840 ventilators have been the workhorses of the field. But Medtronic decided to juice its profits by VIN-locking the parts in the PB840 (hospitals, like farmers, have fixed their own equipment since time immemorial: when a patient has a medical emergency, you need to be able to fix whatever piece of gear their doctors need, not call a manufacturer-authorized technician who’ll arrive days or weeks later).

That was terrible before the pandemic, but when the world’s demand for ventilators spiked just as Medtronic’s authorized service technicians were grounded, this VIN-locking racket became a major threat to public health.

Hospital technicians around the world scrambled to nurse their PB840s along, keeping them in service. A common PB840 repair involves swapping a working screen out of a busted ventilator into a working ventilator with a busted screen.

Screens are VIN-locked components, though, so the resulting, perfectly functional device would not work until an authorized tech flew out to the hospital and typed in an unlock code — and remember, the pandemic grounded all those technicians.

Thankfully, an anonymous Polish ex-Medtronic employee had kept the unlock code generator from his previous job, and he cloned it, packaged the resulting gadget in whatever enclosures he could find — old guitar pedals, table lamps and alarm-clocks — and mailed them to med-techs at hospitals around the world, saving lives.

Why did this hero remain anonymous? Because he was breaking the law. Article 6 of the EU Copyright Directive bans the production of “circumvention devices” that bypass VIN locks. In the USA, Section 1201 of the Digital Millennium Copyright Act (DMCA) makes trafficking in circumvention devices a felony punishable by a five-year prison sentence and a $500,000 fine — for a first offense.

Every three years, the US Copyright Office holds hearings on DMCA 1201, in which they entertain petitions to allow users of locked devices to bypass those locks (yes, you have to ask the US government for permission to reconfigure your own property, and yes, mostly, the answer is “no”).

In the 2017 edition of these exemption hearings, John Deere filed a stunning brief with the Copyright Office: in it, they explained that farmers do not own the tractors they spend hundreds of thousands of dollars on.

In fact, the farmers can’t own these tractors, because the software that animates these tractors (and enforces VIN locks and restrictions on using your own data) belongs to John Deere for the full term of copyright — 90 years — and the farmers merely license that code, and they are bound by the terms of service they have to click “OK” on every time they switch on their ignitions.

Those terms specify that even if a farmer repairs their own tractor, swapping a broken part for a working one, they must pay hundreds of dollars and wait for days for an authorized Deere technician to come out to the end of their lonely country road to key in an unlock code.

This is the system that let the Ukrainian Deere dealership brick those tractors between Melitopol and Chechnya.

Tech monopolists love kill-switches, and they exhibit heart-warming confidence in their own ability to prevent their abuse.

That confidence is terribly misplaced. These can and will go wrong, with terrible consequences. It’s important not to get swept up in the industry’s self-serving cheerleading about these kill-switches working in ways we like, because of all the ways they can go wrong.

Back in 2019, progressives gleefully circulated a new hack: whenever your local far-right thugs parade through the street, you can blare pop music at them. The music will be detected by the copyright bots that patrol Youtube and other services, and your local Nazis won’t be able to use videos from their public demonstrations as propaganda.

At the time, I warned that these bots were not your friend and prophesied that they would do more harm than good. I was right: during lockdown, copyright bots misidentified all the performances of stranded classical musicians as similar performances from Sony (who own the majority of classical music recordings) and blocked them, preventing these classical musicians from getting paid for their work.

That was just for starters, though. As I predicted, cops started blaring pop music during their encounters with the public in a bid to prevent any video recording from being shared online. Despite official condemnations, cops keep doing it.

Kill-switches and VIN locks go together like peanut butter and chocolate, and so it’s no surprised that they’re much beloved of the auto industry, the inventors of VIN locking.

The subprime automotive lending industry is a pure predator, overcharging poor people who need cars to get to work. Like subprime house loans, subprime car loans are designed for default: by design, the borrower pays and pays, but eventually misses a payment, allowing the lender to repossess and re-sell the same car over and over again.

To facilitate this system, trillions of dollars’ worth of subprime cars are kill-switched, fitted with ignition overrides that lenders can turn on if you miss a payment, or which can turn themselves on if the car detects that you’ve driven it past the county line, in contravention of your lease terms.

This has lots of ghastly failure modes: if the dealership loses track of your payment, it will brick your car and demand that you pay again; or you might take your kids for a walk in the woods, not realizing that you’ve crossed the county line and tripped the immobilizer until you try to drive home and realize that you are stranded in a literal dark forest.

But those are retail kill-switch failures. Kill-switches also fail wholesale, when hackers break into car dealerships’ computers (no language on Earth contains the phrase “as secure as the IT at a used car dealership”). When that happens, every car the dealership has ever sold is bricked.

From Medtronic to GM to Apple, VIN-locking and kill-switching are sold as security measures instituted to protect you, not to empty your wallet. Those claims would be a lot more credible if these companies were actually good at security. It’s pretty rich that the company that made a Jeep that was so insecure that hackers could remotely seize control of the steering, ignition and brakes and drive it off the highway into a ditch tell us that we can’t let third parties modify our cars lest they render them insecure.

John Deere makes this claim: in its battles against the right to repair, Deere styles itself as the guardian of the world’s food supply, whose information security is all that stands between us and a Russian (or Chinese, or supervillain) shutdown of the world’s ag-tech.

They’re not wrong: John Deere’s decision to build ag-tech that can be remotely controlled, disabled and updated, along with its monopolization of the world’s ag-tech market, means that anyone who compromises its system puts the world’s food-supply at risk.

Which is a terrifying proposition, because John Deere has extraordinarily terrible information security. When Sick Codes probed Deere’s security, they found glaring, serious errors that put the entire food supply chain at risk.

Worse, John Deere seems to have no clue as to how bad it is at security. In the company’s entire history it has never once submitted a single bug to the US government’s Common Vulnerabilities and Exposures (CVE) database. As far as Deere knows, its security is literally perfect.

John Deere is wildly imperfect.

That means that the tool that Deere used to brick all those stolen tractors in Chechnya is potentially available to even moderately skilled hackers who exploit Deere’s reckless decision to build kill-switches into its equipment and its negligent security.

Kill-switches and VIN locks go hand in hand — but they’re also comorbid with security incompetence. Remember Medtronic? Its implanted medical devices (whose owners can only switch vendors with a scalpel and general anesthesia) are incredibly, terrifyingly insecure, and Medtronic, like Deere, insists nothing is wrong. That’s why a couple of security researchers had to build and demonstrate “a universal remote for killing people” with hacks of their implants, before that Medtronic would institute a voluntary recall of just one of its products.

You know who understands how dangerous John Deere’s kill-switching and VIN locking is? Ukrainian farmers. Ukraine is a major exporter of illegal alternative firmware that replaces Deere’s software with independently produced, farmer-friendly code (ironically, if the Russians who stole those Deere tractors manage to un-brick them, it will likely be with this software).

That farmers working in a low-income, high-risk, high-instability nation would create firmware to liberate themselves from the rent-seeking of a multinational monopolist and the risks its remote-control software created is no surprise.

High-risk/high-instability is now endemic to the world, not just Ukraine. The kill-switches that gave those Russian looters their comeuppance are lurking in every Deere tractor, everywhere. As Cathy Gellis wrote for Techdirt:

The reality is that if you’ve made it so that a tractor owner can’t use their own equipment, you might be a looter. But you also might be John Deere. The only difference is that the looter’s behavior is more clearly lawless, whereas John Deere’s is currently backed up by law. But the effect is just as wrong.

We should be building tractors — and phones, and cars, and ventilators, and medical implants — that are robust and resilient, maintainable and repairable even when supply chains break. There are risks to this — a device without a kills-witch is a little more attractive to thieves. But kill-switches impose risks that vastly outstrip the risks they offset.

In an increasingly risky world, that’s not something we should be cheering on.