When your life is on the line, the very last thing you want to worry about is the reliability of your equipment. Give me a good old fashioned carbureted engine with a set of magnetos and I’m a happy lad — you can keep your fancy fuel injection to yourself. Beyond the possibility of a glitch in the code causing a problem or your electrical system going dead another worry is that your fancy computerized gizmo can be altered without your knowledge to malfunction in subtle but deadly ways. A team of hackers at DefCon (one of the last few things on my bucket list to attend) demonstrated that they can do just that with TrackingPoint’s multi-thousand dollar precision rifles, making them either hit the wrong target or lock the user out completely. All without ever touching the gun.
At the Black Hat hacker conference in two weeks, security researchers Runa Sandvik and Michael Auger plan to present the results of a year of work hacking a pair of $13,000 TrackingPoint self-aiming rifles. The married hacker couple have developed a set of techniques that could allow an attacker to compromise the rifle via its Wi-Fi connection and exploit vulnerabilities in its software. Their tricks can change variables in the scope’s calculations that make the rifle inexplicably miss its target, permanently disable the scope’s computer, or even prevent the gun from firing. In a demonstration for WIRED (shown in the video above), the researchers were able to dial in their changes to the scope’s targeting system so precisely that they could cause a bullet to hit a bullseye of the hacker’s choosing rather than the one chosen by the shooter.
Here’s what is going on.
There’s a Wi-Fi hotspot built into TrackingPoint rifles to allow the gun to stream the view from the scope to a nearby iPad. That’s what we are seeing in the video above — I put a video camera on the iPad in question while we were firing, and it showed what I saw in real time. That WiFi can also be used to update the software on the gun to account for new ballistic models and ammunition loads that TP approves, allowing (as they boastfully claimed when we first met them) every rifle — even older ones — to benefit from the knowledge gained over time.
The researchers in this case found a way to use the WiFi hotspot (using the default password on the WiFi connection) to access the innards of the scope’s ballistic program. Rather than directly changing the actual point of aim on the scope, the researchers were able to alter the ballistic profile stored in the scope’s memory which in turn caused the scope to re-calculate the firing solution.
In the video demonstration for WIRED at a West Virginia firing range, Auger first took a shot with the unaltered rifle and, using the TrackingPoint rifle’s aiming mechanism, hit a bullseye on his first attempt. Then, with a laptop connected to the rifle via Wi-Fi, Sandvik invisibly altered the variable in the rifle’s ballistic calculations that accounted for the ammunition’s weight, changing it from around .4 ounces to a ludicrous 72 pounds. “You can set it to whatever crazy value you want and it will happily accept it,” says Sandvik.
Here’s where the WIRED team went a little overboard with their announcement. It is completely true that the researchers can cause the gun to hit a different target than the one they are aiming at, but that’s only because they changed the ballistic data by hand to hit that specific target. The TrackingPoint scope will track moving targets and other objects, and the researchers were unable to force the scope to re-designate a new target for that tracking process. All they did was deflect the point of aim of the rifle for a new position slightly offset from the intended target.
Still very nifty, but slightly different from the advertised target swapping abilities.
The second thing they demonstrated was the ability to change the PIN code assigned to the scope. The TrackingPoint guys made a big deal about the ability to lock the gun to keep unauthorized users from firing it using a PIN code, and the researchers found a way to change that code in memory so that it no longer works. The big caveat here is that the gun must have a PIN code assigned to lock the gun, unlocked guns are not impacted.
The TrackingPoint guys were already in a financial world of hurt. The military and law enforcement entities that they thought would buy the system have shown almost exactly zero interest in the heavy, cumbersome scope and its quickly depleted batteries. After saturating the civilian market with their rifles, the company is basically out of buyers for their product and seems on the verge of going belly up. It looks like TrackingPoint is destined to be another flash in the pan in the gun world, and given their massive layoffs in the R&D department specifically there’s little chance that they have anyone capable of plugging these security flaws. This might just be the final nail in the coffin for TP.