[Home] [Headlines] [Latest Articles] [Latest Comments] [Post] [Mail] [Sign-in] [Setup] [Help] [Register]
Status: Not Logged In; Sign In
Bang / Guns Title: Anybody Can Fire This 'Locked' (Dumb) Smart Gun With $15 Worth of Magnets For gun control advocates, a "smart" gun that only its owner can fire has promised an elusive ideal: If your phone or PC can remain locked until you prove your identity, why not your lethal weapon? Now, for the first time, a skilled hacker has taken a deep look into the security mechanisms of one leading example of those authenticated firearms. He's found that if smart guns are going to become a reality, they'll need to be smarter than this one. At the Defcon hacker conference later this week, a hacker who goes by the pseudonym Plore plans to show off a series of critical vulnerabilities he found in the Armatix IP1, a smart gun whose German manufacturer Armatix has claimed its electronic security measures will "usher in a new era of gun safety." Plore discovered, and demonstrated to WIRED at a remote Colorado firing range, that he could hack the gun with a disturbing variety of techniques, all captured in the video above. The Armatix IP1 handgun is designed so that it can only be fired when the owner is wearing a special Armatix watch---in theory. Plore notes that unlike many gun owners, he's not opposed to the principle of a gun with added layers of electronic authentication. But he says the politicized debate over smart guns hasn't examined the far more basic question of whether they actually provide the security they promise. "If you buy one of these weapons thinking itll be safer, it should be," Plore says. "In this case, it was so easily defeated, in so many ways, that it really failed to live up to its side of that bargain...Misplaced trust is worse than no trust at all." Gun rights advocates have long opposed smart guns, seeing them as a Trojan Horse to regulate traditional firearms. And Plore says his interest in smart-gun hacking originated with reading a vehemently anti-smart-gun thread on the gun forum Calguns.net in 2015. "Could you imagine what the guys at Defcon could do with this [piece of shit]?" one poster wrote wrote in response to a negative NRA review of the Armatix IP1. Plore, who had just a few months earlier spoken at the Defcon conference about cracking electronic safes, decided to find out. Over the next six months he developed a series of three attacks on the IP1's security mechanisms, each one more serious and low-skilled than the one before. "I was confident Id be able to break it," says Plore, who has a day job as a hardware-focused engineer and security consultant. "I didnt think it would be so easy." In fact, before he found his dead-simple magnet hack, Plore tried a far more technical approach known as a "relay" attack. That involved building two small radio gadgets, each no larger than a pack of cards and costing about $20 in hardware. The relay attack takes advantage of the gun's radio-based safety mechanism. When the shooter squeezes the gun's handle, it sends out an RFID signal to check if the watch is present. But Plore showed he could place one of his radio devices near the watch to intercept the signal, and relay it to another gadget as far as 12 feet away. That means the gun doesn't need to be next to the shooter's wrist, as intended, but can instead be held by someone else, breaking its tight identity restrictions. Plore also developed a technique that doesn't defeat the gun's authentication, but instead hijacks those security mechanisms to render the weapon altogether useless. He built a $20 transmitter device that simply emits radio waves at roughly the same 900 megahertz frequency as the gun and watch, overwhelming their communications. From as far as 10 to 15 feet away, the handheld transmitter can reliably jam the gun no matter how close it is to the owner's watch. (Plore himself prefers to call the technique "electromagnetic compatibility testing" rather than "jamming," since the latter may be illegal under certain Federal Communication Commission regulations.) An assailant who knew his intended victim carried an Armatix handgun could, then, simply use the transmitter to disarm him or her. But Plore warns that even a nearby cordless phone could trigger the interference. "Imagine your gun wont fire because somebodys grandmother is blabbing on a cordless phone," Plore says. After developing those two more technical radio attacks, Plore dug into Armatix's patent diagrams. There, he found that when the watch's radio signal authorizes the gun to fire, an electromagnet moves a small metal plug to unlock its firing pin. So Plore ordered a $15 stack of magnets from Amazon. He found that by placing them next to the gun's body at a certain angle, he could immediately fire at will, with no watch in sight. When the gun first fired without authentication, "I almost didnt believe it had actually worked. I had to fire it again," Plore remembers. "And thats how I found out for $15 of materials you can defeat the security of this $1,500 smart gun." Plore first contacted Armatix about his findings in April, but the company didn't respond to his findings other than to acknowledge they'd received them. In response to questions from WIRED, Armatix spokesperson Georg Jahnen noted in an email that while all of the attacks were possible, they might not be easy or practical in certain conditions. He argued that the jamming attack actually demonstrates the gun's safety measures, since it at least failed in a safe way, rather than firing without receiving a signal from the watch. As for the magnet attack, Jahnen argued that someone who wanted to exploit the vulnerability without preparation might not have the necessary magnets ready to use. "I do not think that you have appropriate magnets with you when you act in the heat of the moment," he noted. (That claim ignores the fact that the magnets are easily bought, and someone could of course steal the gun and obtain the magnets later to defeat the IP1's security system.) But Jahnen also conceded that Plore's revelation of the IP1's flaws will make smart guns safer in the future. "Our experiences with the strengths and weaknesses of the iP1 system will flow into the next generation of smart gun system," he writes. 'I didn't think it would be so easy.' Smart-Gun Hacker 'Plore' Plore admits that the notion of showing anyone how to easily fire a weapon that's meant to be locked represents a potentially dangerous ethical dilemma. But he argues that Armatix has only sold a small number of IP1s. Armatix hasn't released sales numbers, and declined to answer WIRED's questions about total sales. But gun rights advocates have lobbied against the weapon so strongly that Armatix has had difficulty finding US stores to carry them, and multiple stores that considered selling the weapon have nixed their plans under pressure. Plore says even for his tests, he had to ask three Colorado stores before one was willing to order a single IP1 on his behalf. Armatix itself filed for bankruptcy in 2015. (That might also explaining why it was so unresponsive to Plore's warnings about the IP1's flaws.) All of which suggests that Armatix's IP1 is already a lost cause for gun-safety advocates. But Plore reasons that perhaps demonstrating its flaws can show future smart gun manufacturers how not to design safety measures. There's no software patch that can fix the IP1. But future models of the gun, and those from other manufacturers, could integrate components with tighter radio timing restrictions to defeat Plore's relay attack. They could use error correction and higher-powered radio signals to prevent jamming attacks. And to defeat his magnet attack, they could build their firing pin locking mechanism with non-ferrous materials, or use a motor that applies a rotary force to lock the gun that can't be easily spoofed with a simple one-direction magnet outside its body. That means there's still hope for smart guns, Plore says. "There are some people who think you shouldnt be able to have a smart gun. Im not one of them," he says. "If people want to buy smart guns, they should be able to. And if they do, they should get what's on the label." Poster Comment: Smart shooter with dumb guns is the best. Post Comment Private Reply Ignore Thread Top Page Up Full Thread Page Down Bottom/Latest Begin Trace Mode for Comment # 1.
#1. To: hondo68 (#0)
The pistol is chambered for the .22 LR rimfire cartridge in a 10 round magazine. $1500. From the review: It said that the pistol was unreliable (failing to get through an entire 10-round magazine even once), and had an "off the scale" (~25 lbs) double-action trigger pull. It also criticized the pistol's recessed hammer, which does not allow much purchase on the hammer if the user attempts to decock the pistol with their thumb on the hammer (though the review called this "ill-advised" with any design). Finally, it criticized the pistol's color-coded LED indicators, where red means safe and green means fire. It said that this is inconsistent with other firearms' safety colors, where red means "ready to fire".
#2. To: misterwhite (#1)
The pistol is chambered for the .22 LR rimfire cartridge in a 10 round magazine On the Winchester 1100 pump shotgun, you push the safety button on the front of the trigger guard to the left with your index finger, which exposes the RED, and it's ready to fire. 22LR is not a suitable defensive round, IMO. 00 Buck is much better.
Is this a target pistol? $1500 for a .22 target pistol? No way this becomes a top seller unless governments pass very tight restrictions on pistols. Maybe there will be a market in the EU, for instance.
Top Page Up Full Thread Page Down Bottom/Latest |
[Home] [Headlines] [Latest Articles] [Latest Comments] [Post] [Mail] [Sign-in] [Setup] [Help] [Register]
|