If it can be hacked, it can…

Screen Shot 2015-07-29 at 14.15.03

It seems that hacking into commercial technology is all the rage these days, including the ability to hack into Tracking Points digital scope that pretty much shoots a rifle for the shooter. In a piece by Wired, a hacker couple recorded how they got into the wifi system and changed the input for the scope for variables such as bullet weight, velocity, and the zero, thus making the rifle almost useless when shooting. Although this isn’t as harmful as jacking a Jeep and causing an accident, if Tracking Point has any future with a military contract, this would put quite the damper in their works. However, the hackers seem to have gotten in touch with Tracking Point about the vulnerability, and are working with the company to fix it.

At the Black Hat hacker conference in two weeks, security researchers Runa Sandvik and Michael Auger plan to present the results of a year of work hacking a pair of $13,000 TrackingPoint self-aiming rifles. The married hacker couple have developed a set of techniques that could allow an attacker to compromise the rifle via its Wi-Fi connection and exploit vulnerabilities in its software. Their tricks can change variables in the scope’s calculations that make the rifle inexplicably miss its target, permanently disable the scope’s computer, or even prevent the gun from firing. In a demonstration for WIRED (shown in the video above), the researchers were able to dial in their changes to the scope’s targeting system so precisely that they could cause a bullet to hit a bullseye of the hacker’s choosing rather than the one chosen by the shooter.

“You can make it lie constantly to the user so they’ll always miss their shot,” says Sandvik, a former developer for the anonymity software Tor. Or the attacker can just as easily lock out the user or erase the gun’s entire file system. “If the scope is bricked, you have a six to seven thousand dollar computer you can’t use on top of a rifle that you still have to aim yourself.

….

But Sandvik and Auger found that they could use a chain of vulnerabilities in the rifle’s software to take control of those self-aiming functions. The first of these has to do with the Wi-Fi, which is off by default, but can be enabled so you can do things like stream a video of your shot to a laptop or iPad. When the Wi-Fi is on, the gun’s network has a default password that allows anyone within Wi-Fi range to connect to it. From there, a hacker can treat the gun as a server and access APIs to alter key variables in its targeting application. (The hacker pair were only able to find those changeable variables by dissecting one of the two rifles they worked with, using an eMMC reader to copy data from the computer’s flash storage with wires they clipped onto its circuit board pins.)

….

One thing their attack can’t do, the two researchers point out, is cause the gun to fire unexpectedly. Thankfully TrackingPoint rifles are designed not to fire unless the trigger is manually pulled.

Thankfully TrackingPoint rifles are designed not to fire unless the trigger is manually pulled.

In a phone call with WIRED, TrackingPoint founder John McHale said that he appreciates Sandvik and Auger’s research, and that the company will work with them to develop a software update to patch the rifle’s hackable flaws as quickly as possible. When it’s ready, that update will be mailed out to customers as a USB drive, he said. But he argued that the software vulnerabilities don’t fundamentally change the gun’s safety. “The shooter’s got to pull the rifle’s trigger, and the shooter is responsible for making sure it’s pointed in a safe direction. It’s my responsibility to make sure my scope is pointed where my gun is pointing,” McHale says. “The fundamentals of shooting don’t change even if the gun is hacked.”

 

They did a demonstration of everything they claimed.

They did a demonstration of everything they claimed.

I like this caption that they had for one of the pictures-

have figured out how to hack into a Tracking Point TP750 rifle to control the trajectory of the bullets fired

If these hackers figured out a way to actually control the trajectory of the rounds fired, the breakthrough in the study of physics would be quite a contribution to humanity! (I understand it is a typical press misunderstanding of firearms terminology, but can’t help and laugh)

One of the Hackers working away at the computer screen.

One of the Hackers working away at the computer screen.



Miles V

Former Infantry Marine, and currently studying at Indiana University. I’ve written for Small Arms Review and Small Arms Defense Journal, and have had a teenie tiny photo that appeared in GQ. Specifically, I’m very interested in small arms history, development, and Military/LE usage within the Middle East, and Central Asia.

If you want to reach out, let me know about an error I’ve made, something I can add to the post, or just talk guns and how much Grunts love naps, hit me up at miles@tfb.tv


Advertisement

  • iksnilol

    That sounds cool. I can see that being used in a movie:
    -“oh noes, he’s gonna kill [insert popular politician]
    -“not on my watch” answers the scrappy hero/heroine as they whip out their phone and start hacking the rifle.

    Also, I thought black hat hackers were the “bad guys”? Why have a hacking convention about how to help people secure their stuff? Kinda going against everything you stand for there.

    • TheNotoriousIUD

      A lot of hackers are probably looking for a pay day by uncovering and then alerting companies to weaknesses in their systems.
      United Airlines recently gave a couple of hackers a million miles for exposing a flaw in their software.

      • iksnilol

        Yeah, that’s gray hat and white hat hackers.

        gray hat go where the money goes but are constrained by some self-imposed morals. White hat are “goody two shoes” while black hat do it for fun and personal gain. The black hats are the scary ones.

        • MR

          The IT business is a gutter where pimps and thieves run free and good men die like dogs. There’s also a negative side.

          • iksnilol

            Sounds like my kind of party… Seriously, since I intend to go the whole IT line.

          • MR

            In that case, I’d like to direct your attention to “The IT Crowd”. Not much firearm related, but still worth a gander.

          • TheNotoriousIUD

            “Silicon Valley” is hilarious.

          • Tassiebush

            “Have you tried turning it off and on again?”

        • BattleshipGrey

          Shouldn’t the money seekers be called “green hats”?

          • iksnilol

            Don’t ask me, alright? I just follow the rules.

      • Dan

        Nailed it.

    • Grindstone50k

      “Black hat” is just a name, but the convention draws all types of hackers, from those with malicious intent to those who are seeking vulnerabilities in order to close them to those who just like to open up things they’re told they shouldn’t. Even the NSA (or at least, they used to) recruit at the Black Hat convention. Think of it more like a trade convention than a “League of Hacker Doom”.

      • iksnilol

        That’s handy to know, I just expected the “League of Hacker Doom” due to the name.

  • TheNotoriousIUD

    Yeah, that could be a real problem for the two people who buy those scopes.

  • stephen

    I thought TrackingPoint was going out of business?

    • They are. I don’t really see how that’s relevant to finding vulnerabilities in their software.

      • MR

        ‘Cause it’s fun, and the general public may dimly remember hearing about Tracking Point, but they don’t know anything beyond that. Mainstream News stories make it sound like these things are on the shelves at Cabela’s.

      • Grindstone50k

        It might get sold off to some other company.

  • Jerry

    This is certainly over-hyped. The reality is that a real life application would not have the wifi connection enabled and functioning. Period. If the likelihood of someone using this in a wifi-saturated is increased, the amount of time to A) discover this in a wifi environment, and b) connect and assume command of the instructions, would be in the neighborhood of somewhere between “slim” and “none”. Good luck doing all this and interrupting the signal before the shooter can get some shots off. This is a hacker “team” trying to get a payday from a company, plain and simple. Let’s see how the media takes this and runs with it 🙁

    • I don’t know if it’s overhyped, but it is a good warning to TrackingPoint users to turn the WiFi off and only use it in a secure setting.

    • TheNotoriousIUD

      “When the Wi-Fi is on, the gun’s network has a default password that allows anyone within Wi-Fi range to connect to it.”
      Or just, you know, change the password.

      • Grindstone50k

        But I like having “password” as my password and “Admin” as my username.

        • TheNotoriousIUD

          That’s because you are not a Tier 1 Tactical SCUBA Sniper like me.

          • screwtape2713 .

            Oh, so you use “admin” as your password and “Password” as your username instead, do you? You know … keeping it high speed and low drag but still uber secure…

        • MR

          1234 for me.

  • JumpIf NotZero

    Oh wow. You’re telling me a firearm optic company has shotty software!? Amazing. Great… Now everytime tracking point or really anything IoT or tech/firearm comes out, idiots will talk about how it’s probably “hack able” without having any understanding of what that means – only that tracking point was lazy and that must mean all developers are.

    Link to the Jeep article is overblown near-click baiting, and it was an almost immediate fix once Sprint and Chrysler were alerted of it – but all the same, I’m not sure why anyone would really think a car company would have great software either.

    If only everyone knew how their lives were put in jeapordy daily by one well misplaced bit… It would be hard to get people out of the house.

    • JK

      Shotty software- pun intended, am I right?

    • As a Firearm Tech company we already feel the pressure on this kind of stuff. Can’t Half-ass your code and expect it to stay secure. You would be shocked at how long it takes to run security testing on even just a mobile application.

      • JumpIf NotZero

        I write/apply/design applications that use crypo directly for physical layers. I wouldn’t be surprised of anything 🙂

        But it’s really not that bad. You just follow rules and plan for conditions that “can’t” happen. Everything is sanitized. Would prevent 99% of “hacks”. But lazy is lazy 🙂

  • SCW

    I was ridiculed recently on YouTube for saying that I would never drive a car that can turn the wheel on it’s own or is connected to a network by many pathways b/c it could be hacked. I was told to take off my tinfoil hat, and that it would never happen.

    The very next day the article on the Jeep and Chrysler vehicle hacks came out. The naysayers didn’t have much to say to me then.

    • Donny Mohler

      I brought up the potential issues to the Chrysler representatives before the new Cherokee came out when they had us test-driving the pre-production models. I was told it’s impossible and not to worry about it. I feel pretty vindicated 🙂

      If it has wireless/3G or any other outside connection, it can and will be hacked and exploited to its full potential. Computers, phones, cars, guns, no limits.

    • Hyok Kim

      Would you never use your phone to talk business because it could be hacked?

  • Bill

    This is all I know about cyber-security: if someone wrote the code, someone else can hack it. Like the Jeep/Chrysler thing, it’s good that people like these find the weakness, as opposed to the Chinese.

    • MR

      A Chrysler (or whatever they’re called these days) rep just told me the new truck’s computers can’t be modded for increased horsepower. A Duramax rep told me the same thing in January – of 2001. The aftermarket code probably hit the streets before the vehicles.

  • TheNotoriousIUD

    Better get rid of your phone, computer, car and TV.

    • iksnilol

      Phone and computer, sure, but car? Doubt so if you have an “old” car. That is, a car older than 10 years or something.

      • FarmerB

        I wouldn’t be so sure. When I first bought my BMW X3, it was disabled by software glitches a couple of times, which an update fixed. This was October 2004.

        • iksnilol

          I know we had a problem with a VW Caddy, some oil or crud got onto one of the sensors and it got disabled. It was scary considering it happened on the highway. It was a pretty new car though.

          Yeah, it ain’t easy nowadays. I like electronics but I don’t like them in cars. A computer crashing ain’t that bad. A computer running your car crashing? Very bad. I am not a mechanic, but I wonder, what would you need to do to “downgrade” a car? As in make it not dependent on the computers and whatnot.

          • Chrome Dragon

            Most cars with electronic ECUs will fail over into a low-powered, dirty, and potentially damaging limp-home mode, allowing you to pull over safely, at the very minimum.

            There’s no mechanical solution to electronic fuel injection control and variable valve timing, unless you want to build a Turing-complete mechanical computer, which is just a very steampunk looking and inefficient computer chip, in terms of hackability.

            Want to be rid of computers under the hood? Find a (reliable) classic car.

          • iksnilol

            That last part is kinda what we are doing. Early 2000’s VW are a favorite. Easier to fix. Newer cars you can’t fix without halfway hacking into them (or paying through the nose for a mechanic).

          • Abram

            Steyr Pinzgauer.

          • Goetz Liedtke

            If you can see the ground past the engine, it’s probably old enough to be unhackable. I crack systems for a living and I drive a mobile computer called a Prius. I can do some interesting things with a Bluetooth OBD-II dongle and my smartphone.

          • iksnilol

            Ooh, I can do that with our cars. Aw yiss.

      • Tassiebush

        The mechanical fuel injection diesel on my Landcruiser is pretty darn Hack proof 🙂

  • Grindstone50k

    2 things: The scope is actually tied into the trigger or firing pin on the gun? I thought you just slapped it on and input the data for the rifle? No go for TP on that.

    Second, I thought TP was toast? Didn’t they go bankrupt a month ago?

    • MR

      The Burris Eliminator works similar to how you described. Mount on rifle input relevant data for the load you’ll be shooting, it takes care of ranging the target and figuring bullet drop. You have to compensate for wind, but you have to read the wind and input a value for the Tracking Point anyway.

  • Kurt Eskildsen

    If you want to shoot long range learn how to shoot long range the traditional way.

    • Abram

      With a musket, not some new fangled metallic cartridge repeater variety of industrial revolution sorcery.

      • Kurt Eskildsen

        Nawww.. I’ll take the “new fangled metallic cartridge repeater variety of industrial revolution sorcery.”

        • ScarTizzu

          N probably miss

        • Tassiebush

          Rifling is the devils work!

  • This is silly. The article describes a piece of tech that’s got a (recreational, toy, also optional) Wi-Fi feature in it, and this feature is basically a factory-settings wi-fi router with a default login/password for connecting.

    This is not some mega-uber-vulnerability, it’s a senile grandma error. More than that, after getting through that gaping hole, you’re faced with absolutely proprietary and unlabeled variables (basically you don’t know what you’re changing, if anything). They had to break several sights apart to map these. BTW, your router is also very much hackable in the same way (and behind it is the impeccably mapped and documented operating system that has had (and still has) thousands of potential vulnerabilities)… but you’ve at least set unique passwords for your Wi-Fi point / router admin, right? Right?

  • Jamie Clemons

    make it a stand alone system that is not connected to anything else.

    • MR

      Then how are you going to get footage on youtube?

  • Sledgecrowbar

    How did they even get in touch with TrackingPoint? Didn’t they go belly-up months ago? Also, turning off wifi would solve all of this. The scope doesn’t need wifi to operate, just to upload video or download firmware, which wouldn’t happen in anything even remotely resembling a tactical situation, ever. I doubt the US military uses the same wifi security standards as Starbucks anyway.

    • Hyok Kim

      ” The scope doesn’t need wifi to operate, just to upload video or download firmware,….”

      Firmware can be downloaded? I thought firmwares are hardwired physically into devices.

      “… which wouldn’t happen in anything even remotely resembling a tactical situation, ever.”

      Don’t you think a sniper team could share video or 3D map datas for target tracking in the future? Just like fighters use network for separate target tracking, and launching the missiles.

  • The Brigadier

    Why in God’s name does a rifle scope need a wifi connection? We have become an insane nation with this technology. If the rifle needs an occasional upgrade then take it to an authorized dealer and hook it up and upload the information. : o

  • wclardy

    They just keep it Holey…

  • wclardy

    So the whiz-bang, can’t-miss scope turns out to be just as vulnerable to hacking as the multi-million dollar made-in-the-USA military UAV that the Iranians hacked into and hijacked…

  • Bal256

    I’m not really that impressed. If you hack it through wifi that means you have to be within wifi range. I can’t even get decent wifi in the kitchen. Might as well start stabbing the “sniper team” at that distance.

  • Tassiebush

    I can’t understand how people who are clearly smarter than average build such foreseeable flaws into thing like this.

  • Core

    Anything can be hacked. The simple solution is disabling wifi, or using a physical cable connect. Just like the old days, keep it compartmentalized. Constant on wifi uses too much energy anyway, who would want it? Bluetooth security is a joke…