See how a self-aiming sniper rifle can be remotely hacked

I must admit I raised an eyebrow.

I’m not clear why any regular member of the public would really need a sniper rifle, let alone one which has a computer running Linux embedded inside it.

But, it turns out, there is a market for so-called “smart” self-aiming sniper rifles – in America at least.

And with help from the kind of modern technology built into the $13,000 Tracking Point TP750 rifle, even a lousy shot might find themselves shooting dead on target, as the computer-assisted weapon decides upon the very best time to shoot is to hit your intended target.

Husband-and-wife security research team Michael Auger and Runa Sandvik realised that if you add a WiFi connection to a rifle, you also potentially introduce vulnerabilities that hackers could exploit. The couple purchased two of the Linux-powered rifles, disembowelling one to access and reverse engineer its circuit board.

And, predictably, serious security holes have been found – making it possible to completely disable the rifle remotely, or deliberately miss its intended target.

In an interview with Wired, Auger and Sandvik described their findings:

The only alert a shooter might have to that hack would be a sudden jump in the scope’s view as it shifts position. But that change in view is almost indistinguishable from jostling the rifle. “Depending on how good a shooter you are, you might chalk that up to ‘I bumped it,’” says Sandvik.

Sandvik and Auger found that through the Wi-Fi connection, an attacker could also add themselves as a “root” user on the device, taking full control of its software, making permanent changes to its targeting variables, or deleting files to render the scope inoperable. If a user has set a PIN to limit other users’ access to the gun, that root attack can nonetheless gain full access and lock out the gun’s owner with a new PIN. The attacker can even disable the firing pin, a computer controlled solenoid, to prevent the gun from firing.

Now, before you start having visions of SkyNet from the Terminator movies, let me reassure you with one thing. Although the researchers found a way of disabling the rifles, rendering them useless, they did not find a way to force the rifles to fire unexpectedly – as someone is still required to press the trigger.

Thankfully, the actual firing of the rifle is still a process that depends on hardware rather than software.

TrackingPoint founder John McHale says that owners of the self-aiming rifle will be sent an update on USB as soon as a fix is developed, and was keen to stress to Wired that – in his view – the gun’s safety is not in question:

“The shooter’s got to pull the rifle’s trigger, and the shooter is responsible for making sure it’s pointed in a safe direction. It’s my responsibility to make sure my scope is pointed where my gun is pointing. The fundamentals of shooting don’t change even if the gun is hacked.”

Whether TrackingPoint does manage to fix the security issue, and update its customers, is open to some question, as it has recently laid off most of its staff and stopped taking new orders for rifles. That’s a concern for Sandvik and Auger as well, who say they will not be releasing the full exploit code in fear that malicious parties could exploit it.

It may be that there aren’t enough owners of TrackingPoint’s “smart” self-aiming rifles to make this a vulnerability that is worth worrying about too much, but it does underline continuing and rising concerns about the risks posed by the internet of things.

Manufacturers. If you currently sell a product which isn’t “smart”, maybe it would be better if you didn’t try to make it “smart”. Sometimes the dumb old way things worked were much much safer.

Leave a Reply