Software of TrackingPoint’s expensive smart sniper rifle can be hacked to disable it or misdirect its target due to flaws.
Since 2011, when TrackingPoint was launched, it has been selling over thousands of it high-end Linux powered rifles which are known for its self aiming system. TrackingPoint combines technology, sensors, cameras and Linux software into a sniper rifle to develop ‘Smart Rifles’ which enables even a beginner to accurately hit targets that have been placed far away. It’s almost foolproof shooting, albeit at a $13,000 price tag.
The scope allows its shooter to ‘digitally lock’ the target and then dial in the required variables such as wind, temperature and weight of the bullet being fired. Once the trigger is pulled, the smart rifle would activate its firing pin only when the barrel has been perfectly oriented to nail the target thus we can say the software actually chooses the exact moment to fire.
Further, the gun can also be connected to a tablet or smartphone via Wi-Fi which allows another person to view whatever the shooter is viewing in the scope. Now, the con part of this entire unit is its software which can be hacked, just like any other software!
TrackingPoint began marketing their product to hunters and it was just last year when there were rumors that even U.S. army was testing these auto-aiming rifles.
Two security researchers, Runa Sandvik and Michael Auger, who are also husband and wife, have now demonstrated that this smart rifle can be hacked and fooled into misdirecting its target or even disable it. The duo have shown, that anyone who is near enough for the Wi-Fi connection of the smart rifle can easily manipulate with the controls of this smart rifle.
The most important point to be noted here is that hacker cannot make the rifle to move in any direction or shoot on its own; however hacker can make changes to the bullet.
For instance, in a scenario of hostage taken by criminal, hacker can misdirect the police sniper to miss their target while shooting that can result in killing the hostage instead of criminal. Worst could be that the hacker completely locks the control of the smart rifle rendering it useless.
While speaking to CNNMoney, Michael Auger recalled that it all began last year summer when they happened to stop by the TrackingPoint’s booth at the Nation’s Gun Show located at west of Washington, D.C.
Auger said: “We were reading their marketing material that said you could connect it to your phone.”
The advertisement read out that “gun enabled with Wi-Fi connection” actually made her purchase it and check out the security of its software, which is natural for a security researcher! Thus she says: “That’s when I suggested we buy one and hack it.”
Soon, a lower-end Precision-Guided .308 model was purchased by the duo at a price of $12,995.
Next, Auger began her work by opening the computerized scope and started studying the hardware of this smart rifle and was able to discover the flaws which was quite conspicuous.
Sandvik and Auger have found of some chain of vulnerabilities in the Linux software of the rifle through which they can take control of the self aiming functions boasted by TrackingPoint.
The very first vulnerabilities is its inbuilt Wi-Fi which has a default password, which when ON allows anyone within the range of the Wi-Fi to get connected to it. Thus once hacker gets connected to the Wi-Fi, the gun serves as a server and gives access to the APIs which enables alteration of key variables in its targeting applications.
The duo also found that an attacker could also add themselves as ‘root’ user on the device which would enable them to take a complete control of the software and make permanent changes to its targeting variables including deleting essential files which could completely disable the scope from operating. It was also discovered that suppose user has set some PIN to limit access of outsiders to the gun, the root attack can still gain complete access and in fact allow hacker to lock out the gun’s owner by setting a new PIN. Thus attacker can completely stop the gun from firing the ammunition. This proves that the gun listens to remote instructions and allows administrative access to hackers which could be dangerous.
Auger and Sandvik carried out their experiments with the smart rifle at a gun range in West Virginia.
During the test shot, Auger fired just once and was able to hit the target placed at 50 yards.
Then, Sandvik tapped into the rifle from a computer placed near shooter and tricked the software into thinking that the 175 grain bullet is actually 2,857 times heavier. Auger now fired in the same manner as in the test shot, however this time the bullet landed 30 inches to the left of the target.
CNNMoney quotes: “They didn’t just trick the rifle to miss. They tricked it to miss — just right.” It seems the same thing can be done even by adjusting the wind and temperature readings of the rifle.
Sandvik added: “Unless you’re really familiar with the rifle and know what you’re doing, you probably won’t notice those variables are changing. You’ll be too focused lining up your shot.”
The duo say that the most surprising part of this hack is that it is quite easy to exploit the flaws.
Sandvik claims that the hacker would just have to download the widely available TrackingPoint Smartphone app, know their default password and just be in their vicinity so as to get access to the device, one is sure to sabotage the smart rifle’s shot by readjusting the temperature and wind settings. The worst thing here is that the default password has been published online!
If a hacker wants to create more damage then they will have to re-engineer the hardware and lock the trigger, also make changes to the bullet weight and worst is just turn off the software and render the device useless. Sandvik fears that someone would definitely publish all this online to help other hardware hackers.
Auger and Sandvik are planning to reveal more about their research at the Black Hat cyber-security convention which would be held next week in Las Vegas.
Then, it would be easier for any hacker to discover the weaknesses of the rifle and exploit it individually; unless ofcourse TrackingPoint takes this issue seriously and takes firm steps to fix the flaw.
It seems Sandvik has already spoken to TrackingPoint on Sunday and she adds “they seemed… interested in fixing the issues we identified.”
When CNNMoney inquired, TrackingPoint did not comment about the flaws or any possible steps being taken towards fixing the issue.