Security researchers Runa Sandvik and Michael Auger have found that a $13,000 TrackingPoint TP750 smart rifle can be remotely hacked by accessing its Wi-Fi enabled computer system to disable it or control the trajectory of its bullets and change its target.
“You can make it lie constantly to the user so they’ll always miss their shot. If the scope is bricked, you have a six- to seven-thousand-dollar computer you can’t use on top of a rifle that you still have to aim yourself,” Sandvik told Wired.
The hacker couple exploited various vulnerabilities in the rifle’s software to take control of its self-aiming functions. For instance, the rifle has a built-in default network password that can’t be changed and therefore it allows anyone within the Wi-Fi range to connect to it, treat the gun as a server and access APIs to alter key variables in its targeting application. “Leaving the Wi-Fi off is “a good stopgap measure” for keeping TrackingPoint smart rifles safe from hacking,” Sandvik said.
The couple explained their discovery to CNNMoney. “We were reading TrackingPoint’s marketing material [at the Nation’s Gun Show] that said you could connect it to your phone. That’s when I suggested we buy one and hack it,” they recalled. They purchased a lower-end Precision-Guided .308 model, opened the computerized scope, studied the hardware and discovered glaring security flaws.
Sandvik and Auger also found that through the Wi-Fi connection, hackers could add themselves as a root user on the device, taking full control of its software, making permanent changes to its targeting variables, or deleting files to render the scope inoperable. But the vulnerabilities can’t be exploited to make the gun fire unexpectedly as the Tracking Point rifles are designed not to fire unless the trigger is manually pulled.
“The worst-case scenario is that somebody exploits some of the vulnerabilities that we have found to make permanent changes on someone’s TrackingPoint rifle. So this means that you can be in the middle of nowhere, not even using the wireless network, but if I had made permanent changes to your rifle, it can behave in a completely different way than what you’re expecting, and you may not ever hit your target,” Sandvik told CNNMoney.
On one hand, this means a hacker could force a police sniper, aiming at a criminal, to shoot the hostage instead or simply lock the rifle’s controls, rendering it useless for the sniper. On the other hand, this means even a less-experienced military sniper would be able to hit a moving target from a long distance.
TrackingPoint founder John McHale said the company will work with Sandvik and Auger to develop a software update to patch the rifle’s hackable flaws as quickly as possible.
Sandvik and Auger will reveal more details about their research at the Black Hat Cyber Security Convention in Las Vegas.