Hacking

Hackers Make Smart Rifle Go Rogue

Security researchers Runa Sandvik and Michael Auger have hacked a TrackingPoint smart rifle that was designed to deliver sharpshooter results, even for novices. They demonstrated their feat for Wired and will present their findings at the week-long Black Hat 2015 security conference in Las Vegas, which begins Saturday. The two purchased a pair of $13,000 rifles and spent a year working on them.

Security researchers Runa Sandvik and Michael Auger have hacked a TrackingPoint smart rifle that was designed to deliver sharpshooter results, even for novices.

They demonstrated their feat for Wired and will present their findings at the week-long Black Hat 2015 security conference in Las Vegas, which begins Saturday.

The two purchased a pair of US$13,000 rifles and spent a year working on them.

They developed a set of techniques that could let hackers compromise the rifles — which are computerized and run a version of Linux — through the weapons’ WiFi connection.

“You need to be within WiFi range of the rifle at least once to make temporary or permanent changes,” Sandvik told TechNewsWorld.

Enabling WiFi lets the user do various things, including adjusting the rifle for ambient temperature and wind, downloading videos from the scope, and updating the software, Sandvik said.

Working for the Hack

Sandvik and Auger had to take apart the rifles and connect an eMMC reader to their flash storage to find changeable variables in their targeting application.

“We needed physical access and access to the system to figure out how to conduct these attacks,” Sandvik said.

However, that investment paid off in spades.

“Now that we know, we can do this to any TrackingPoint firearm we are in WiFi range of,” Sandvik asserted.

What’s a Smart Rifle?

TrackingPoint smart rifles are coupled with a scope running a modified version of Linux on an ARM chip, and a trigger mechanism linked to the scope.

The scope can track targets, and its processor can calculate ballistics and variables to give a first-shot accuracy of 70 percent. A trained sniper’s first-shot accuracy is around 30 percent.

An integrated camera captures still images and video from the scope and the heads-up display. Recorded images can be downloaded to a smartphone or tablet, and transmitted through email or social media.

The trigger contains microprocessors, as well as electronic, electro-optic and electro-mechanical components.

The rifles have a fixed reference point that enables them to retain zero.

TrackingPoint offers bolt-action and semiautomatic weapons. The former cost between $13,000 and $27,500, and use Magnum rounds.

The latter are priced at between $7,500 and $19,000 and use NATO 7.62 mm, 5.56 mm and 300 WM ammunition.

FUD in the Army

The United States Army purchased six smart rifles from TrackingPoint last year for evaluation.

Now that it’s known these weapons can be hacked, the Army might have to rethink the possibility of using them in the field.

“No electronic system is completely secure — it’s just a question of how much effort the hacker is willing to invest,” said Jim McGregor, principal analyst at Tirias Research.

The possibility of a smart weapon being hacked and taken over is “the greatest concern about this Internet of Things era we’re entering,” he told TechNewsWorld. “Once you connect a system externally to another system, you create potential holes for security intrusions.”

Through the smart rifle’s WiFi connection, Sandvik and Auger found that an attacker could operate as a root user. That role would let the attacker make the weapon inoperable by deleting files the scope needs, as well as disable the firing pin, or change the PIN to lock out the real owner.

TrackingPoint founder John McHale reportedly pledged to develop a software update, but the company apparently is not doing well financially, having sold only about 1,000 smart rifles, and has had to trim staff.

Securing Smart Rifles

Leaving the WiFi off is “a good stopgap measure” for keeping TrackingPoint smart rifles safe from hacking — at least temporarily, Sandvik said.

Physical security solutions that extend down to the silicon level and software solutions that prevent side-band intrusions exist, McGregor said, “but they are expensive to develop and implement, which is why most systems don’t use them.”

Richard Adhikari

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Hacking

Technewsworld Channels