Friday, August 4, 2017

$1500 Smart Gun Hacked with $15 Worth of Hardware

This is my surprised face.

In the never-ending search to suck up money from gullible states, Armatix GmbH introduced the iP1 "Smart Pistol".  Am I being too harsh on them?  When there are states (the Peoples' Republic of New Jersey for one) which have laws saying that once "Smart Guns" are on the market, they will be mandatory in the state - that's potentially a lot of captive sales.  The iP1 is .22 semiautomatic pistol that will only fire if the owner's watch is present and within near field distances of the gun.  At least that's their selling story.   
Captive sales?  Considering you can buy a "dumb" 22 semiautomatic for under $300, and this one is $1500, if PRNJ mandated no .22 handguns can be sold in state except for their product, that's a huge windfall for the manufacturers.

The problem is that like a lot of smart appliances, TVs and IOT devices, it's not that smart.  In the run-up to this week's DefCon security conference, The Hacker News is reporting that a security researcher who goes by the alias "Plore" has found several ways to hack the gun and make it usable by people other than the watch wearer or prevent its use by the wearer.  None of the advantages of a smart gun the owner is paying $1500 for.  The simplest hack doesn't require much in the way of user intelligence, just a few rare earth magnets and knowledge of where to put them.
However, Plore found three ways to hack into the Armatix IP1 smart gun, and even demonstrated (the video is given below) that he could make the smart gun fire without the security smartwatch anywhere near it.

Plore placed $15 [worth of] magnets near the barrel of the gun, doing this made him bypass the security watch, thereby defeating the Armatix IP1’s electromagnetic locking system altogether. [text added - SiG]
There's more at the article, but they're discouraging embedding the video.

When the user tries to fire the gun, a transmitter inside it sends a signal to the watch and listens for a reply.  Plore was able to add an amplifier to the watch so the gun could be quite a bit farther from the watch (although I don't think you see him fire from more than 10 feet from the watch).  Perhaps more handy for the nefarious to know, he was able to set a jammer on the frequency they communicated over (916.5 MHz) and jam the gun so that it would not fire even with the watch present.  (This seems like a classic "near/far" problem - to keep anyone in a good-sized area from using their iP1 would require substantial transmitter power).  Again, perhaps the most interesting hack was that by holding some rare earth magnets in the right spot on the pistol's slide, he made the gun work with no watch present at all.

In the tradition of "white hat hackers", Plore notified Armatix of the vulnerabilities he found.  They didn't say they were going to do something right away but said something like, "lessons learned on the iP1 will flow into the next generations of the smart gun system".  Maybe not the best response in the history of the world, but better than having him arrested for finding the problem.

No comments:

Post a Comment