Runa Sandvik and Michael Auger demonstrated for Wired how easy it is to hack a certain type of “smart” sniper rifle, the TrackingPoint. The husband-and-wife duo will present their findings at the Black Hat hacker conference in two weeks.
Their findings come from a year of work on the TrackingPoint self-aiming rifle, which retails for around $13,000. The luxury guns, Consumerist explains, can turn even the most inexperienced shooter into a master marksman thanks to its scope, which runs a Linux computer. It finds the perfect moment to shoot once the location is established and the computer factors in wind, ammunition type and temperature.
The gun is pretty safe — that is, unless the shooter has turned on the built-in Wi-Fi, supposedly included to livestream recordings onto a laptop or iPad.
As Sandvick and Auger proved to Wired, there are a number of ways a hacker could mess with the TrackingPoint. It involves messing with the variables of the gun’s computer and can change the targeting location, prevent the gun from firing altogether and even completely disable the computer.
The attack starts with the gun’s Wi-Fi, which uses a default password. From there, hackers can use the gun as a server and tinker with APIs that help the targeting system calculate. Hackers can also delete files in the operating system, which makes the computer unusable. TrackingPoint Wi-Fi is disabled by default, and the team only found the vulnerabilities by completely dissecting the rifle and using a special reader.
The good news is that the gun cannot fire remotely. TrackingPoint rifles are designed to only shoot when someone manually pulls the trigger. Since the gun came out in 2011, the company has sold about 1,000 units.
Wired informed TrackingPoint of the security flaw, and the company says it is working on a patch that will eventually be available on a USB drive.
Hacking smart devices has become a hot-button issue recently — last week Wired showed how easy it is for hackers to take control of a Jeep Cherokee, which led to Fiat Chrysler recalling 1.4 million vehicles to fix the glaring security flaw.