Hacking a “smart” sniper rifle over Wi-Fi

    image
    Photo by Wired

    Information security experts Runa Sandvik and Michael Auger at the Black Hat conference in August will show how to crack the TrackingPoint 750 smart sniper rifle. The essence of the manipulation they proposed can be divided into two parts : gaining access to the rifle’s computer via Wi-Fi and controlling the rifle’s API from a third-party device so that the shooter can easily not notice the interference, while all shots will, for example, end in a miss.

    At the disposal of Runa and Michael, who are spouses, were two TP 750 rifles, each of which costs $ 13,000. The peculiarity of the weapon lies in the fact that it has a special computerized optical sight, with which the target is captured, its tracking is carried out, corrections for wind and temperature are calculated on the fly, and other auxiliary actions are performed. The mechanics of shooting looks like this: a rifle captures the target, the shooter presses the trigger, and the shot itself occurs at the moment when the rifle guidance system considers that the target is in the crosshair of the sight and can be successfully hit.

    This process is shown in the photo below: the arrow is aimed at the target (blue ellipse), presses a special button next to the trigger (the rifle starts tracking the target, marking it with a red circle), and, finally, the moment of the shot - the net of the sights changes color from blue to red:

    image
    Arstechnica photo

    One of the capabilities of the rifle is the broadcast of a video image from a sight to another device (computer, phone, tablet) via Wi-Fi in real time to control shooting. By default, this “feature” is disabled, however, when turned on, the network password that the rifle “distributes” turned out to be factory, which allowed anyone to connect to the weapon. What password is set in the rifle and whether there is a requirement in the instructions to change it before use is not entirely clear. Since the weapons were obtained by the researchers legally, it can be assumed that they specially simulated a familiar situation for many when their owners do not change the default password on a home wireless router. Thus, this part of the “hack” is trivial.

    The next part of the study was reverse engineering the circuit board installed in the rifle in order to restore its API. Hacker spouses successfully coped with this task. Thus, the essence of the manipulations that turned out to be possible to remotely carry out with a rifle is that you can change the calculated parameters of the shot invisibly for the shooter, simply by connecting to the rifle from a laptop. Ultimately, you can organize everything so that the weapon will constantly "smear" regardless of the skill of the sniper. In addition, you can simply perform various destructive actions with a rifle, such as turning off the sight, but then the fact of outside interference will already be obvious.

    image
    Photos Wired

    The creators of the rifle initially put a precaution in it: a shot is physically possible only when the trigger is pressed. Researchers failed to circumvent this ban and achieve spontaneous firing from "smart" weapons.

    You can see how shooting from the “hacked” TrackingPoint can be seen in the video below: first, Runa easily hits the target from 46 meters, and Michael (former Tor developer) cannot interfere with the target after interfering with the rifle.


    Also popular now: