Researchers hack Linux-powered sniper rifle

When talking about the Internet of Things – “things” with an embedded computing system able to interoperate within the Internet infrastructure – we usually think about fridges, thermostats, smart cars, garage doors, cameras, and various implants.

But did you know that there is a rifle with an ARM-powered scope running a modified version of Linux, which can help shooters make more accurate shots, but also record video and audio, and stream it to other devices using its own wireless network and mobile applications?

I didn’t, until I attended a keynote by security and privacy researcher Runa Sandvik at this year’s Hack in the Box conference in Amsterdam. Her talk was about IoT, secure development, and on how to raise users’ expectations about security and privacy.

Among the things she mentioned was the Linux-powered rifle made by Texas-based company TrackingPoint, and then noted that, when it comes to creating Internet-connected “things”, manufacturers should thinks twice about it.

“Just because you can, doesn’t mean that you should,” she pointed out.

Unfortunately, we can do little to stop manufacturers from doing what they planned to do. Fortunately, we have security researchers who will test those products for exploitable vulnerabilities and inform the manufacturer and the world about it.

Sandvik and her fellow researcher (and, as it happens, husband) Michael Auger are set to present their research into TrackingPoint’s precision-guided sniper rifle at Black Hat next week, and will demonstrate both how the firearm works, how they reverse-engineered the scope, the firmware, and three of TrackingPoint’s mobile applications.

They will also present the vulnerabilities they found, which allowed them to fiddle with the scope by changing variables used to calculate the position of the target and the force and direction needed to hit it, but also to permanently disable the scope.

These vulnerabilities can be exploited by attackers to make users hit targets they didn’t intend to.

The two researchers discovered the default password that allowed them (when in range) to connect to the rifle’s Wi-Fi, and from there access APIs that allowed them to change variables in the targeting application. They also managed to gain root access to the device, even if the user has set a PIN to prevent other users from accessing the gun’s internals. This enabled them to perform other changes in the software.

The one thing that they didn’t manage to do is to make the gun fire against the user’s will, because the trigger has to be physically pulled to make the rifle shoot.

Sandvik and Auger demonstrated their research to Wired’s Andy Greenberg, and shared their poor experience when it comes to contacting the company and letting them know about the vulnerabilities: after repeated attempts to contact them, they did not hear back from TrackingPoint.

The company has been having some financial problems, and they are currently not accepting more orders for the rifles. Greenberg has had more luck with contacting the company’s founder, who said that they will collaborate with the researchers to fix the problems and that they will deliver a software update to the customers by sending them a USB drive via snail mail. The founder also downplayed the severity of the vulnerabilities.

But however unprofessional the company may seem, Sandvik and Auger are conscious of the fact that the exploit code they devised should not be released publicly before the flaws are fixed, so they will refrain from doing it for now.

Don't miss