Black Hat Researchers Hack Rifle for Fun

VIDEO: Husband and wife security researchers explain how they hacked a Linux-powered TrackingPoint rifle and why they did it.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

rifle hacking

LAS VEGAS--In world where everything is connected and everything can be hacked, it shouldn't be a surprise that a rifle can be hacked to have a shooter change targets. That's precisely what independent security researcher Runa Sandvik and her husband Michael Augur detailed at the Black Hat USA conference here.

The two researchers acquired a TrackingPoint rifle and were able to hack it in multiple ways, including misdirecting the targeting system, such that when fired the gun would hit a different target than what it was aiming at. Why did Augur and Sandvik hack the TrackingPoint rifle? It was all about curiosity.

"The reason we started doing this in the first place is Runa [Sandvik] is from Norway and has a very romanticized vision of the U.S., so loving all things America, we needed to go to a gun show," Augur said.

At to the gun show, Sandvik became interested in the TrackingPoint weapon after learning that it is a Linux-powered device that could be connected to a phone via a mobile app.

"So she asked me if we could buy the gun and hack it, and I said, 'Let's do it,'" Augur said.

The TrackingPoint rifle has a wireless network that a mobile phone can connect to, as well as a pair of mobile apps. One of the apps is called shot view that lets the app user see what the shooter sees through the scope. The other app is calling tracking point and allows the user to change environmental settings like wind and temperature to improve targeting.

The actual hack of the TrackingPoint rifle was a process that took a year of effort and required going through multiple levels of technology, including physically taking the weapon apart and reverse-engineering the software.

Augur explained that the way the attacks work is they require the WiFi on the weapon to be turned on and the attacker has to be within range of the WiFi. Sandvik noted that as far as she can tell, there is no way to remotely attack the device.

That said, she noted that the updating mechanism on the TrackingPoint rifle connected insecurely to the update server, exposing it to potential risk. There are also vulnerabilities in how the API on the rifle validates code, which is how the two researchers were able to manipulate it to cause the gun to miss its intended target.

While there are risks with the TrackingPoint rifle, Augur emphasized that the attack surface is relatively low and there is little chance that the vulnerabilities that he and his wife found would be used in the wild as part of some kind of nation-state assassination attack. Augur added that TrackingPoint is currently in the process of patching the weapon.

Watch the full video from the Black Hat USA press conference below:

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.