Discovery of a vulnerability that Linux-equipped rifle is hijacked by Wi-Fi hacking

Built-in computer with Linux in the scope targeting target boasts a tremendous accuracy of hitTrackingPoint's "Smart Rifle"We were vulnerable that the system was compromised. If this vulnerability is exploited, the target that was set up will be replaced with another one before it knows, there is a danger of shooting out different target from the original.

Hacking a computer-aided sniper rifle
http://www.usatoday.com/story/tech/2015/08/06/computer-controlled-rifle-black-hat-trackingpoint/31239637/

Black Hat USA 2015 | Briefings
https://www.blackhat.com/us-15/briefings.html#when-iot-attacks-hacking-a-linux-powered-rifle

The TrackingPoint rifle analyzes the video with the camera built in the scope and uses the Wi-Fi connected smartphone / tablet application to consider the best timing of fire by also considering wind speed, temperature, and even the influence of the rotation of the earth System. On the barrel of the rifle, there is a bigger equipment than the "scope" that you generally imagine.


Put the target in the center of the red cursor, except the scope, and press the "tag button" next to the trigger of the rifle to complete the target lock on. After that, if you put your finger on the trigger and put the power in, the computer unlocks the trigger at the proper timing and the bullet is fired.


This system is "Precision Guided Firearm(PGF) ", and the timing when Linux sighting device has found outTrigger LinkIt is a mechanism to tell the trigger of the rifle body with a cable called.


A movie that I tried to shoot through a really different target using the located vulnerability is here. The two side by side screens are the images of the normal and the hacked rifle on the left, respectively, and the scenes where the bullet hits the target different from the first are contained.

TrackingPoint: a comparison between normal operation and a hacked rifle. - YouTube


This problem was discovered by computer security expert Runa Sandvik and Mr. Michael Auger couple. It seems that we began to investigate the vulnerability of Linux mounted rifle at the opportunity to visit a firearm show in response to Norwegian Runa's request "I want to see things like America" . Paying attention to "you can connect with smartphone via Wi-Fi", he said that he started tracking analysis after acquiring TrackingPoint's rifle "TP 750" of a price of $ 16,000 (about 1.9 million yen) one year later. Its contents arePresented at "BlackHat" of hacker eventThe above movies and the following presentation materials are published.

(PDF file)PowerPoint Presentation - us - 15 - Sandvik - When - IoT - Attacks - Hacking - A - Linux - Powered - Rifle.pdf


Analyze by disassembling the main body and examining internal components.


The location of the file system containing the program is also known.


By analyzing this, it was found that API for system management can be accessed without requiring authentication. Furthermore, access to the functions of the core system can also be reached without authentication, and an incompleteness is found in the GPG encrypting the communication between the equipment and the software, and there was a possibility that the system was updated and hijacked by a malicious third party It is clarifying that.


The couple informed of the vulnerability found in TrackingPoint Inc. which developed this system already, and it is shown that the company also responds by taking measures. When you visit the manufacturer site, the message is displayed on the most noticeable part of the page ... ...

Official Site - XactSystem ™ Precision Guided Firearms | TrackingPoint


In the red line part, an interesting message was written that "Please use Wi-Fi function only when it is clear that hacker does not exist within the range of 100 ft (around 30 meters) around" It was.


In addition, TrackingPoint states that "Wi-Fi function is turned on" and "Trigger actually being drawn" as a condition under which this system is abused. In other words, even if the system is hacked, it is impossible to say that the rifle will fire itself.