Wi-Fi-enabled sniper rifle hacked to change target

We know that our new robot overlords are coming, that drones can already be rigged with guns for remote shooting, and that artificial intelligence might well decide that the world would be better off if our species were to be exterminated.

The latest computer-assisted nightmare: sniper rifles equipped with computers and Wi-Fi can be tampered with so that they fire off-target or even at a target the hacker substitutes for the intended one.

The exploit comes from security researchers Runa Sandvik and Michael Auger, who spent a year hacking a pair of $13,000 TrackingPoint self-aiming rifles and who plan to present their findings next week at the Black Hat hacker conference.

In a demo for Wired, the researchers showed how they’ve been able to exploit vulnerabilities in the rifle’s software and compromise it over its Wi-Fi connection.

As the video shows, the $13,000 computer-assisted, self-aiming, long-range sniping rifle is designed to fire only when its barrel has perfectly lined up with a target, promising accuracy even to amateur shooters.

Sandvik and Auger reverse-engineered the scope, the firmware, and three of TrackingPoint’s mobile applications.

They found a way to connect directly to the computer inside the rifle to change values in such a way that the interference doesn’t show up in the firearm’s screen.

Then, they fed the rifle bad data, changing the weight of the bullet so that when the scope calculates when to fire, it misses its target. In fact, it hit a target to the left of the one it was aiming at, as the hackers had tricked it into doing, and practically with bulls-eye precision.

The scopes can be lied to: not only can they be told that they’re using different weight bullets than they really are, but they can be tricked into thinking they’re attached to a different type of gun altogether.

This is the worst-case scenario, as Sandvik described it to CNN:

The worst-case scenario is that somebody exploits some of the vulnerabilities that we have found to make permanent changes on someone's TrackingPoint rifle. So this means that you can be in the middle of nowhere, not even using the wireless network, but if I had made permanent changes to your rifle, it can behave in a completely different way than what you're expecting, and you may not ever hit your target.

As the researchers told Wired, they found that by changing variables in the scope’s calculations – which not only include bullet weight but also things such as wind and temperature readings – not only can they make the rifle inexplicably miss its target, they could also permanently disable the scope’s computer, or even prevent the gun from firing altogether.

CNN illustrated Sandvik’s description of worst-case scenario with a few potential situations: a hacker could force a police sniper to miss while shooting directly at a hostage-taking criminal, forcing the sniper to shoot the hostage instead.

Or, a hacker could simply lock the rifle’s controls, rendering it useless.

The exploits are enabled with a chain of vulnerabilities.

The first is a default Wi-Fi network password that can’t be changed and which allows anybody within range to connect to it.

You heard that one right: the same security vulnerability – unchanged or unchangeable default passwords – that’s made it easy to hijack baby monitors and hack modems and home routers also serves as one of the first stepping stones into tampering with a deadly firearm.

The second vulnerability is that the rifle is always listening for remote instructions, which enables administrative access that should only belong to the actual shooter holding the weapon.

As Wired explains it, after an intruder exploits those two vulnerabilities, they can treat the gun as a server and can access APIs to alter variables in the targeting application.

In the demo for Wired, Auger first took aim with an unaltered rifle and managed to hit a bullseye on his first try, with assistance from the TrackingPoint rifle’s aiming mechanism.

Then Sandvik accessed the rifle via Wi-Fi from her laptop and changed the bullet weight from around .4 ounces to a “ludicrous” 72 pounds – an off-the-scale ballistics weight that nonetheless didn’t cause the firearm to balk at all, she said:

You can set it to whatever crazy value you want and it will happily accept it.

One thing to be grateful for: while the researchers can tinker with the rifle’s aim, they can’t get it to fire unexpectedly. Fortunately, TrackingPoint rifles won’t fire unless the trigger is manually pulled.

After reaching out to the gun’s manufacturer, the researchers were recently contacted by TrackingPoint.

Sandvik said the company “seemed positive” and interested in fixing the issues the couple have identified.

Image taken from video.

Leave a Reply