Researchers Manipulate Rifle’s Precision Targeting System

At Black Hat next week, researchers Runa Sandvik and Michael Auger are expected to demonstrate how they were able to manipulate a Linux-powered, networked high-end rifle.

TrackingPoint rifles are state-of-the-art precision hunting and sniper rifles that come equipped with a networked tracking scope that’s accessible via Wi-Fi, and comes complete with USB ports and a mobile app. It’s almost foolproof shooting, albeit at a $13,000 price tag.

And the security of all of it can be undone because of a guessable, default password.

Researchers Runa Sandvik and her husband Michael Auger next week at the Black Hat conference in Las Vegas will unveil a year’s worth of work examining whether the Linux-powered firearm is hackable and how an attacker within Wi-Fi range can manipulate critical settings on the rifle causing it to hit different targets, or disable it entirely.

Sandvik said she and her husband visited The Nation’s Gun Show in Chantilly, Va., more than a year ago and saw marketing material for the rifle at TrackingPoint’s booth. The networked rifle immediately sparked interest for the researchers.

“It was a new application of technology and I suggested we buy one for the purpose of hacking it and figuring out what to do with it,” Sandvik said.

The rifles feature a shot sequence TrackingPoint calls tag-track-xact. The shooter uses the scope to find and tag a target by holding down a red button above the trigger guard. The trigger can then be pulled at any time, but only when the shooter aligns the scope with the tagged target will the rifle fire.

The computer embedded in the scope also enables Wi-Fi access, which is off by default and protected with a “guessable” password, Sandvik said. The wireless network is used to connect to the public Internet to pull down software updates. It’s also used to send video of a shot from the scope to one of two TrackingPoint mobile apps called ShotView. A person can remotely watch the shooter fire the rifle via the app. The other app called TrackingPoint interacts with the scope and allows a spotter, for example, to enter wind and temperature conditions and other variables that are used by the computer to calculate the accuracy of the shot.

A hacker within Wi-Fi range of the rifle (Auger estimates 50 yards), can access the local network and manipulate those settings or even access an admin mode, Sandvik said. Digging deeper, if a hacker is able to access the file system, she would be able to create software updates that permanently alter the rifle’s capabilities, even gain full root access to the Linux system.

“There are API calls, and if you know about them, you can use them and communicate with backend directly,” Sandvik said. “The mobile app makes sure you don’t set crazy values (such as setting the outdoor temperature to 500 degrees), but there are no such checks on the backend. You can change the weight of a bullet, lock the trigger, or turn the scope off completely.”

The shooter gets no indication of this type of manipulation to the settings, only when their supposedly accurate shot strays off course are they alerted that something might be amiss. Sandvik provided one example where she changed the weight of the ammunition on the backend from a few ounces to a few pounds, causing the shot to veer wildly.

“There are API calls, and if you know about them, you can use them and communicate with backend directly.”
-Runa Sandvik

Sandvik said she and Auger repeatedly tried to contact TrackingPoint during a six-month period to disclose the issues they discovered with the default password along with some other software issues. TrackingPoint did not respond until they were contacted by a reporter at Wired magazine seeking comment on Sandvik’s and Auger’s research. TrackingPoint told Wired that it will address the issues and mail a USB drive containing a patch to its customers, which number around 1,000.

“There are some other software issues, but the biggest ones are around restricting access to it,” Sandvik said. “The admin API, if you know what the calls are, you can use them. It would seem unnecessary to leave those in when you ship the product to consumers.”

The biggest mitigation, however, is that there is no way to pull the trigger remotely, Sandvik said. Also, the need to be within Wi-Fi range also restricts the risk in some measure.

“The attack surface is pretty small. There are not a lot of TrackingPoint firearms out there, and you have to be within Wi-Fi range at least once to make permanent changes to system,” Sandvik said. “If you can make permanent changes to the rifle in range of the Wi-Fi, the firearm can do its calculations wrong and never hit a target. And there’s no indication changes have been made.”

Suggested articles