As IoT technology advances with wireless cards and connections being added to nearly every modern appliance, so to the IoT becoming a piece of military and weapons technology. While not unexpected, it is still considered very concerning among security researchers that vulnerabilities in technology of personal firearms may create new risks and hazards to all.
In 2015 two security researchers, Runa Sandvik and Michael Auger, revealed vulnerabilities in the software of firearms manufacturing company TrackingPoint’s newly designed TP750 Sniper Rifle. The scope of the $13,000 rifle houses an on board computer utilizing the Linux Kernel in order to help the shooter determine the best possible shot from calculating thousands of variables, including bullet weight, wind speed, environmental temperature, range, lighting, etc. The “smart scope” also houses a wireless card and bluetooth connector which is what allowed Sandvik and Auger to use an exploit via SSH in order to connect remotely to the on board computer. Once connected and given root privileges(the rifle used default passwords), the two researchers were able to change any variable in the scopes software. By changing a single variable in the targeting systems code, the scope accounted the bullet weight of the rifle round not as the actual .4 ounces, but as 72 pounds, causing the rifle to highly over compensate and fire far above the target. Sandvik stated that, “You can make it lie constantly to the user so they’ll always miss their shot.” Sandvik and Auger revealed that the exploit used allowed them to do anything from make the rifle miss, shoot next to the intended target, or even just delete the entire file system of the scope’s on board computer.
Since the discovery, the rifle’s manufacturer, TrackingPoint, has laid off a majority of its staff, switched CEO’s, and has stopped taking orders for their rifles. Despite being contacted by both, Sandvik and Auger, TrackingPoint has yet to reveal if they have patched the software in their scopes.
In more recent news, a hacker using the alias “Plore” revealed at the the 2017 Defcon Security Convention that he was able to use magnets to hack another “smart gun”. In 2006, German arms developer Armatix developed the Armatix iP1, a .22LR caliber handgun that uses RFID technology in order to allow only permitted users to fire the weapon. The Armatix iP1 uses an RFID encoded wrist watch system that releases the magnetically locked safety mechanism in the gun when the watch is within 10 inches of the wearer. Independently seeking for a work around to the gun itself, Plore discovered two methods through which malicious entities would be able to hack the “smart gun”. After purchasing one of the handguns himself, Plore found that the RFID protections could be overridden by generating the same RFID signal from a pair of $20 homemade radio relays he had made from hardware he had purchased at a HomeDepot. The homemade relay would allow him to trick the RFID receiver in handgun into thinking he had the watch on, while in fact the watch itself was in another room.
Plore also discovered that the magnetic locks on the safety mechanism in the Armatix iP1 could also be moved and unlocked with an even simpler work around by holding $15 worth of magnets next to the gun itself. By using magnets also bought from a hardware store, Plore was able to simply unlock the safety and fire the gun repeatedly.
While weapons designers and manufacturers are working to create new and more technologically modern firearms, security researchers fear that attempts by companies may fall short as these two have. And as many critics agree that IoT connected and other “smart guns” are likely to continue being made and designed, they still fear that the vulnerabilities that they create will do more harm than good. Only time will tell if though, if the fear for “smart guns” is as concrete as the experts claim it to be.
– Henry Keena