TrackingPoint-Sniper-Rifle-Working

When your life is on the line, the very last thing you want to worry about is the reliability of your equipment. Give me a good old fashioned carbureted engine with a set of magnetos and I’m a happy lad — you can keep your fancy fuel injection to yourself. Beyond the possibility of a glitch in the code causing a problem or your electrical system going dead another worry is that your fancy computerized gizmo can be altered without your knowledge to malfunction in subtle but deadly ways. A team of hackers at DefCon (one of the last few things on my bucket list to attend) demonstrated that they can do just that with TrackingPoint’s multi-thousand dollar precision rifles, making them either hit the wrong target or lock the user out completely. All without ever touching the gun.

From WIRED:

At the Black Hat hacker conference in two weeks, security researchers Runa Sandvik and Michael Auger plan to present the results of a year of work hacking a pair of $13,000 TrackingPoint self-aiming rifles. The married hacker couple have developed a set of techniques that could allow an attacker to compromise the rifle via its Wi-Fi connection and exploit vulnerabilities in its software. Their tricks can change variables in the scope’s calculations that make the rifle inexplicably miss its target, permanently disable the scope’s computer, or even prevent the gun from firing. In a demonstration for WIRED (shown in the video above), the researchers were able to dial in their changes to the scope’s targeting system so precisely that they could cause a bullet to hit a bullseye of the hacker’s choosing rather than the one chosen by the shooter.

Here’s what is going on.

There’s a Wi-Fi hotspot built into TrackingPoint rifles to allow the gun to stream the view from the scope to a nearby iPad. That’s what we are seeing in the video above — I put a video camera on the iPad in question while we were firing, and it showed what I saw in real time. That WiFi can also be used to update the software on the gun to account for new ballistic models and ammunition loads that TP approves, allowing (as they boastfully claimed when we first met them) every rifle — even older ones — to benefit from the knowledge gained over time.

The researchers in this case found a way to use the WiFi hotspot (using the default password on the WiFi connection) to access the innards of the scope’s ballistic program. Rather than directly changing the actual point of aim on the scope, the researchers were able to alter the ballistic profile stored in the scope’s memory which in turn caused the scope to re-calculate the firing solution.

In the video demonstration for WIRED at a West Virginia firing range, Auger first took a shot with the unaltered rifle and, using the TrackingPoint rifle’s aiming mechanism, hit a bullseye on his first attempt. Then, with a laptop connected to the rifle via Wi-Fi, Sandvik invisibly altered the variable in the rifle’s ballistic calculations that accounted for the ammunition’s weight, changing it from around .4 ounces to a ludicrous 72 pounds. “You can set it to whatever crazy value you want and it will happily accept it,” says Sandvik.

Here’s where the WIRED team went a little overboard with their announcement. It is completely true that the researchers can cause the gun to hit a different target than the one they are aiming at, but that’s only because they changed the ballistic data by hand to hit that specific target. The TrackingPoint scope will track moving targets and other objects, and the researchers were unable to force the scope to re-designate a new target for that tracking process. All they did was deflect the point of aim of the rifle for a new position slightly offset from the intended target.

Still very nifty, but slightly different from the advertised target swapping abilities.

The second thing they demonstrated was the ability to change the PIN code assigned to the scope. The TrackingPoint guys made a big deal about the ability to lock the gun to keep unauthorized users from firing it using a PIN code, and the researchers found a way to change that code in memory so that it no longer works. The big caveat here is that the gun must have a PIN code assigned to lock the gun, unlocked guns are not impacted.

The TrackingPoint guys were already in a financial world of hurt. The military and law enforcement entities that they thought would buy the system have shown almost exactly zero interest in the heavy, cumbersome scope and its quickly depleted batteries. After saturating the civilian market with their rifles, the company is basically out of buyers for their product and seems on the verge of going belly up. It looks like TrackingPoint is destined to be another flash in the pan in the gun world, and given their massive layoffs in the R&D department specifically there’s little chance that they have anyone capable of plugging these security flaws. This might just be the final nail in the coffin for TP.

36 Responses to Hackers Demonstrate They Can Remotely Shift Targets, Lock TrackingPoint Rifles

  1. Well, they’re out of business now so I don’t think it’s huge issue unless somebody starts production up again. By then I think this could be addressed. To me the Bluetooth capability, etc made it more of a novelty than anything else. How many of these rifles actually were sold at the ridiculous price they were asking?

  2. Or you could not turn the wifi on to begin with.
    You have to manually turn on wifi and can see how many devices are using it.
    If you happen to be using the wifi for a spotter and see another device link up, turn wifi off and just use the scope.
    I’m more impressed it took a year of effort to hack.
    The public let this one slip between their fingers.
    With target size adjustments down to .1MOA these are great for dialing in handloads.
    Id be I interested in the hack just to add more ammo choices.
    Seems like they can add the numbers they want..
    Or unlock the max target range to match the rangefinder. 750yrd .308 isn’t too much to ask..
    🙂

  3. Is it bad that the first thing I thought was “how sweet, married couples still do things”?

    Also didn’t realize that TP rifles were lockable. I guess that proves our point regarding smartguns: if it is hackable, it will be hacked.

    • I believe that if one actually powers off the unit – perhaps requiring one to pull the battery if it’s been compromised – it’ll still work as a regular gun.

      • @Russ: But will the scope work at all with the batteries pulled out ? If not then the shooter would have to quickly get that off the gun and either use or install some old fashioned iron sites or another scope. Probably another, non-electronic scope as this would probably be used for a long distance target. Pretty time consuming in a tactical situation. And carrying another scope in case this one gets hacked seemed unnecessarily redundant. May as well just mount the old fashioned scope to begin with.

  4. I don’t want any electronic system on any of my firearms that can cause them to be hacked or remotely disabled.

      • A LASER sight is electronic, as are a number of other useful accessories without which I do just fine but others like.

        I’d say the whole comment should stand.

      • I’d take an electronic system that analyzed my movements, whether trembling from cold or jerks from hiccups, and fed a little system to compensate for them — I’m nowhere near as steady as I used to be.

    • That is why “Smart Guns: are so wonderful in that they can be hacked by the government so the guns will be “safe”.

    • +1, A81. Allow me to state the obvious- that you and every other street cop in the United States with a lick of common sense came to same conclusion in about a minute of thinking about it.

      I imagine the same common-sense is what led to Armatix P-1 smart gun having no real sales prospects, or purpose, other than to generate a talking point for the gun-grabbers, or another bogus grant to the NJ Arsenal, or one of Obozos big donors in the Solyndra gang, the VCs funding the same kind of foolishness in the SmartGun challenge.

      Exactly what happened when the actual shooters in the usmil gun acquisition/development entities were asked to weigh in, with same common-sense on Tracking Point.

      The problem with technology with electronic enablement that is this fragile, is the counter-technology is so basic, and already commonly available as cellphone jammers, and RFID chip scramblers, that it creates a critical vulnerability that is far easier to engineer, and adapt.
      Its the old concept of the arms-race, except the cycle is shortened, and the vulnerability is higher, when the critical dependency is radio signals controlled by software.

      There will never be a sufficiently hardened system that is proposed for civilian use that cant be (already has been) hacked by a big player, that can survive the long lead time of open contract for mildot or LEO standards.

      Someone will always find an easy hack around it, and if these amateurs could do it at some goofy blackhat conference, imagine how far ahead already, are the makers inside the labs run by the BIG.gov funded, and much smarter geeks in Langley, Jerusalem, or Shanghai.

      • If there’s a lesson that should be blindingly obvious to absolutely everyone, it is that if it’s on the internet, or has any sort of wireless connection, it can be hacked.

        And people wonder why I refuse to bank online, or ever use a debit card.

    • +1,000.

      I’m a retired EE as well as now a gunsmith. Designing “fail-proof” electronics is hard. Very hard. As a result, I want nothing requiring so much as one electron or electron hole moving from “here” to “there” in any gun I own. I foresee nothing but problems with such ideas, and where electronics are concerned, Murphy was an optimist.

      Every, oh, 10 years or so for the last 30 years, we’ve seen electronic triggers and electrical ignition systems get tried on guns – and not for reasons or motivations of gun control. The idea has been “faster trigger lock times” forever in this quest. If only we could remove the falling mass of a hammer, or remove the mechanical transition time of a striker, or moving parts in a trigger – we could achieve “more accurate” guns due to faster lock times.

      And every time someone goes down this road, they discover (or re-discover) both miserable reliability and ballooning liabilities.

      Now, add in software, and we watch the complexity we’re trying to wrestle with to achieve reliability spiral out of control. Part of the problem is poor software practices. The software industry in the US is, in general, slovenly and scrofulous, writing code in languages that are the equivalent of juggling chainsaws with the throttles locked open. It’s beyond stupid. I know of what I speak here, since I spent 20+ years writing software in systems and projects ranging from one person to thousands of people.

      Old fashioned firearms design is pretty well debugged by this point. People screw it up when they try to cut corners in the quest to cut costs. For those willing to do the job right, firearms can be produced with very high levels of quality and reliability.

  5. Tracking Point was an answer looking for a question. Shooting a flat trajectory round with an incremented marked range scope eliminates a lot of the need for this thing in the first place. Tracking point really cannot adjust for wind drift very well anyway.

  6. While I don’t think of Tracking Point as a life safety device, but rather as a way for plonkers with too much money to pretend that they’re marksmen, this is stoopid.

    Why on Gods’ Green would such a machine be a networked device rather than self-contained? That way lies madness.

  7. OMG, the 15 Tracking Points out there are vulnerable!! OMG!! Good thing not a single other hackable boat anchor will be sold.

  8. “The more they overthink the plumbing, the easier it is to stop up the drain.”
    -Chief engineer Montgomery Scott

    I’ll stick to my regular glass and iron sights, thank ye. 😉

  9. Gee, this only addresses the civie side; gotta wonder what some of the ‘less than friendly’ countries who have the sophistication to exploit the backdoors of the US of A’s technological military wonders and (have) hack(ed) the $hit outa them. Sometimes it’s the presence of evidence that concerns me – like this story; other times, more frequently, it’s the absence of discussion and what’s not said that really worries me. This is only the beginning.

    As the men said: “One thing is for sure… WW4 will be fought with sticks and stones”.

  10. “The researchers in this case found a way to use the WiFi hotspot (using the default password on the WiFi connection) to access the innards of the scope’s ballistic program.”

    So basically you only have to worry about this if your the kind of person stupid enough to keep a spare key to your house in a box next to your front door in plain sight labeled “Spare House Key”.

  11. And this is why I’ll stick with my Leupold Vari-X III 6.5-20x40AO and my notebook with the elevation settings for 200, 300, and 400 metres recorded.

    • What more is this:

      All the electronics in something like a TrackingPoint can be detected at distance and tracked. All the clocks, oscillators, etc – generate RF signals.

      Something to think about if you’re ever afield with a rifle and don’t want to be found…

  12. I think everyone is missing the fact that the wifi on these scopes only have a range of 30 feet.
    Inside the scope view displays how many devices are connected.
    If you see a new device link up, simply turn off the wifi and look for a d##k with a laptop within 30 of you.
    Plus only two people have hacked the scope and took them a year’s effort to do it.
    “Remotely” is a correct term, but they left off as long as it’s inside 30 feet.
    Nothing to fear here, no one can remotely hack this Thats outside of rock throwing distance..
    Besides, unless they make the hack program available, what are the odds someone carries a laptop to the woods or range looking for the off chance someone within 30 feet will be using a TP scope just to screw with them and not expect an ugly altercation?
    Id be more afraid of them hacking my wifi on my phone way before my rifle..

    • I agree but would add an even greater degree of ridiculousness
      to the scenario. If while using a long range rifle in a combat situation the enemy have maneuvered within 30 feet you’ve already lost. Furthermore, at 30 feet, it would seem one could more permanently disable this weapons system by killing its operator than by hacking the scope. I’d say this development is nearly meaningless.

      • +1
        In combat, i wonder how many times in history a sniper’s hide is found and charged by guys with laptops.
        Wifi doesn’t even default to on.
        It has to be manually turned on and shows how many devices are linked. It can support Up to 3.

        I’m very familiar with the
        Remington 20/20
        You have to d/l a couple apps to stream the scope view to iPhone/pad etc.
        Another app lets you change settings.
        I bet they hacked the app, not the scope.
        They just used the scopes hacked app that links via wifi (like normal) to change the settings that aren’t user accessible.

        I wouldn’t say it’s meaningless..
        If you do happen to have a TP scope, now we know the settings app can be “jail broke”, hacked and via wifi and you can manually add more ammo choices, handloads, and unlock the target range limit (500yd) to match the rangefinder (750yd)
        Or even change the settings to a different caliber and actually be able to remove the scope and or put it on something else.
        Just beware..
        No one at TP is left to fix any screw ups if you turn that high dollar scope into a speak and say..

  13. Seems like a $#!% ton of wasted time. So if they take the WIFI out it makes this whole thing null and void.
    problem solved, gimme $80 million and name me geek of the year.

    lets say the same thing about the new Chevy cars, they come with on board WiFi, so this means a hacker can cause the cars to shut down or even wreck! people will die! better report it as breaking news and scare as many people as I can.

  14. While I’m certain Nick can’t have his level of proficiency (or respect) with firearms if he were stoned all the time while at the range, it does seem that there have been a ton of videos frozen with his eyes half closed, and pics depicting the same, posted here in the last couple years. Is Leghorn the victim of a conspiracy?

  15. Nothing wrong with electronics, when their necessary and provide a positive use. Adding wifi to a scope is not necessary and in this instance was a clear “con.”

    Also, any additional complexities typically result in reduced reliability.

  16. Sooooo, Nick, they haven’t made a car with magneto ignition since like the 1920’s. And the last carburetor style engines were back in the 1980’s, so maybe that’s possible, but even then they had electronic ignition. What exactly do you drive? Or maybe you’re talking about a chainsaw and Evil Dead scenario?

Leave a Reply

Your email address will not be published. Required fields are marked *