Post on 09-Oct-2020
When IoT Attacks:Hacking A Linux-Powered Rifle
Black Hat and DEF CON 2015 // Michael Auger and Runa Sandvik
TrackingPoint TP750
• Remington 700 .308 bolt-action rifle
• Hardware platform is called “cascade”
• Runs modified Angström Linux
• 255 MB RAM, 600 MHz ARM v7 CPU
• 16 MB flash storage for kernels
• 4 GB flash storage for filesystem
Tag Track Xact (TTX)
From http://arstechnica.com/gadgets/2013/03/bullseye-from-1000-yards-shooting-the-17000-linux-powered-rifle/
Things to keep in mind
• Our attacks require the wifi to be on
• We cannot fire the rifle remotely
• The TP750 is a firearm even without the scope
Round I
The scope
Portscan
Mobile apps
ShotView app
TrackingPoint app
Recon
• WPA2 used on the wifi
• Uses HTTP between apps and scope
• Uses HTTP to pull updates from TP’s website
• Updates are GPG encrypted and signed
• Updates can be decrypted with a passphrase
Public API
Try ALL the thingsTry ALL the things
Round I findings, part I
• SSID contains serial number, can’t be changed
• Guessable WPA2 key, can’t be changed
• Any RTSP client can stream the scope view
Round I findings, part II
• API is unauthenticated, but validates input
• 4 digit pin locks Advanced Mode, brute-force
• /set_factory_defaults/ resets the lock
• Updates are GPG encrypted and signed
Round II
From TrackingPoint’s website
From TrackingPoint’s website
Tearing it open
From TrackingPoint’s YouTube
Close up
UART
Woot!
Well played TrackingPoint…
…well played
Round II findings
• Console access is password protected
• Kernels and filesystem are on separate chips
Round III
Let’s get destructive!
The real filesystem
eMMC
Admin API
System backend
• Requires unpublished API call to open port
• Connect to a socket
• The API validates input, backend does not
• Can make temporary changes to the system
• Can change wind, temperature, ballistics values,
control the solenoid, etc
Software updates
• TrackingPoint operates with two GPG keys, one
of which is on the scope
• Update script accepts packages signed by either
of the two keys
• Can make persistent changes to the system
• Can get root access
Round III findings
• Admin API is also unauthenticated
• System backend is unauthenticated
• System backend does not validate input
• GPG key on scope can encrypt and sign updates
One more thing…
It’s not all bad
• USB ports are disabled during boot
• Media is deleted from scope once downloaded
• WPA2 is in use, even if key cannot be changed
• The API does validate user input*
• Console access is password protected
• Software updates are GPG encrypted+signed*
Will it get better?
• Three emails sent to TrackingPoint since April
• Zero replies
• Two calls after Andy Greenberg reached out
• TrackingPoint is working on a patch
Valued TrackingPoint Community,
Wired Magazine recently reported that information security consultants discovered software vulnerabilities in TrackingPoint guns. We are working with the consultants to verify their assessment and will provide you with a software update if necessary. Until then, please note the following: Since your gun does not have the ability to connect to the internet, the gun can only be compromised if the hacker is actually physically with
you. You can continue to use WiFi (to download photos or connect to ShotView) if you are confident no hackers are within 100 feet.
We will keep you updated, and hope you continue to have exhilarating TrackingPoint shooting experiences!
Vendors should level up
• Issues found are not unique to this product
• Too many vendors ignore low-hanging fruit
• BuildItSecure.ly
• OWASP IoT Top 10
Resources
Thanks to…
• Travis Goodspeed
• Babak Javadi // The CORE Group
• Mickey Shkatov // Intel Advanced Threat Research
• Joe FitzPatrick
• Jesse
• Kenny
• ^H // Portland’s Hackerspace