NEW YORK — It was only a matter of time before someone would figure out how to hack TrackingPoint’s Wi-Fi-connected smart rifle.
TrackingPoint makes an expensive smart rifle that easily lets novices hit targets a half mile away. It lets you digitally “tag” a target, then locks the trigger until the gun is perfectly positioned to nail it. And it connects to smartphones or tablets so a buddy can view what the shooter sees in the scope.
Now, two security researchers have discovered software flaws in the computerized rifle. Anyone near enough for a Wi-Fi connection to a rifle can remotely tinker with controls.
In the worst case, a hacker could force a police sniper to miss while shooting directly at a hostage-taking criminal — and hit the hostage instead. Or a hacker could simply lock the rifle’s controls, rendering it useless.
There’s a major point worth noting, though: A hacker can’t make the rifle shoot on its own. The barrel can’t be forced to move in a different direction. But the bullet can.
Husband-and-wife computer security researcher team Michael Auger and Runa Sandvik explained their discovery to CNNMoney.
It started last summer, when they stopped by TrackingPoint’s booth at the Nation’s Gun Show just west of Washington, D.C.
“We were reading their marketing material that said you could connect it to your phone,” she recalled. A gun with a wireless connection? Alarms bells went off inside her head. “That’s when I suggested we buy one and hack it.”
They purchased a lower-end Precision-Guided .308 model, which retails for $12,995.
Auger opened the computerized scope and studied the hardware. They soon discovered glaring problems.
One: every rifle has a built-in, default network password that can’t be changed. That’s bad enough for home Wi-Fi. This is worse.
Two: the rifle is always listening for remote instructions — allowing administrative access that should only belong to the actual shooter holding the weapon.
Auger and Sandvik recently experimented with this at a gun range in West Virginia. First came the test shot. Auger fired the rifle once and hit a bullseye at 50 yards. Then, from her computer nearby, Sandvik tapped into the rifle and tricked it into thinking the 175-grain bullet was 2,857 times heavier.
Auger took the same shot. This time, the bullet landed dead center — on a target 30 inches to the left.
They didn’t just trick the rifle to miss. They tricked it to miss — just right. They can pull off the same thing by quietly adjusting the rifle’s wind and temperature readings.
“Unless you’re really familiar with the rifle and know what you’re doing, you probably won’t notice those variables are changing,” Sandvik said. “You’ll be too focused lining up your shot.”
What makes this hack so surprising is that it’s relatively easy to pull off.
Want to sabotage someone’s shot by readjusting temperature and wind settings? You just need to download the widely available TrackingPoint mobile app, stand near a smart-rifle-toting shooter and know the default password — which Sandvik claims has already been published online.
Want to do even more damage? You’ll have to reverse-engineer the hardware. But as soon as you do, you can lock the trigger, adjust the bullet weight or shut the whole thing down. And someone is bound to publish this online. That’s how hardware hacking works.
Auger and Sandvik will reveal more details about their research at the Black Hat cybersecurity convention next week in Las Vegas.
At that point, anyone will be able to independently discover the rifle’s weaknesses and exploit it themselves. That is, unless TrackingPoint intends to fix the flaw.
Sandvik said she spoke to the company on Sunday, and “they seemed… interested in fixing the issues we identified.”
However, TrackingPoint did not acknowledge these problems to CNNMoney — or answer any of our questions about possible fixes.