Modernizing Authentication — What It Takes to Transform Secure Access
At the DEF CON security conference in Las Vegas, a security researcher known by the alias Plore captivated a standing room-only audience with a tale of how he was able to hack a smart gun.
Plore specifically looked at the Armatix iP1 smart gun, which includes both a pistol as well as a smart watch. The way the gun is supposed to work is that the authorized user wears the watch, which helps to authorize the firing of the pistol. Plore explained that when the pistol's trigger is squeezed it sends a signal to the watch asking for authorization. The watch then sends a security token to the pistol, enabling the weapon to be fired.
"I'm not against smart guns," Plore said. "But you should get what's on the label and be able to get one that provides meaningful extra security."
"I was hoping this would work and was surprised at what I found," he said.
Plore was able to hack the smart gun in multiple ways, including defeating the proximity restriction. The Armatix iP1 is only supposed to be fired while the watch is on the user's wrist, with an approximate distance of 25 centimeters. The proximity restriction is in place so that the weapon could not be fired for example, while the watch was on a desk and the weapon was outside. To defeat the proximity restriction, Plore was able to create a wireless relay device that was able to extend the signal from the watch to the weapon.
Another hack that Plore was able to execute against the smart gun was a denial of service attack. Effectively what he did was jam the signal between the watch and the pistol. The use case of a denial of service attack against a smart gun is to prevent an adversary from firing the weapon.
Plore said that the manufacturers should have done Electromagnetic compatibility testing (EMC) to make sure that the smart gun didn't interfere with the operation of other wireless devices and vice-versa. By finding the right signal, Plore was able to disrupt the transmission between the watch and the weapon from a range of three to ten meters. Plore also suggested that if the watch had more transmitter power or more robust frequency modulation, the signal interference would not have jammed the weapon.
The core premise behind the smart gun is that it cannot be fired by an unauthorized user - that is a user who does not have the right watch. Plore was able to defeat that premise too.
Using $15 of magnets, Plore was able to trick the smart gun into authorizing the weapon to fire. The magnets were able to move a locking pin on the smart gun that used a DC magnetic field.
Plore said that he debated whether or not to submit his finding and do the research on the smart gun in the first place. He noted that the ethical dilemma is that he didn't want to teach people how to break guns. His purpose however was to disclose the issues so that future product can be better.
"It's good these problem are found now before anyone has died, better now than after an unfortunate accident," he said.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.