[IOT THREAT ANALYSIS] Armatix iP1: when your gun does whatever it wants

  For several years, the armament industry has been trying to venture into the field of smart devices, using wireless technologies as a means of precision, surveillance and security. Until then, only concepts have been presented but none has been sold in the market. Armatix is the first company to launch a product on the market, its model iP1.

In this time of smart devices expansion, designers had the idea of connecting firearms. But why? The idea is to integrate an advanced security mechanism in the solution: the weapon can only fire if it is used by its owner thanks to an RFID ring, digital recognition or magnets. Armatix opted for NFC / RF technology by coupling the weapon with a dedicated watch. If the watch is not unlocked and in a perimeter unless than 25 cm from the gun, the gun may not fire. At DEFCON 25, a hacker, known under the pseudonym of Plore, seeks to demonstrate that these new high-tech features are not infallible.

Circumvent the restriction of distance

First challenge of the hacker Plore, to circumvent the restriction of distance between the watch and the gun. Normally, the gun communicates with the watch with a 5.35 kHz NFC signal. Only the limits of physics bind the two elements to be relatively close to one another. Then, the hacker used a relay system with a much faster 916.5 MHz RF signal. For the modest sum of $ 20, he built two antennas using two nRF24 modules, two PCBs and two microcontrollers. In this way, the gun may communicate at a distance of 3 meters according to the following diagram:

Graphic of the communication between the smart watch and the gun thanks to relay antennas (source : DEF CON)

The deactivation of the gun by a third party

Then the hacker was working on the deactivation of the gun by a third party. The main problem with NFC is its high sensitivity to false signals. The communication between the watch and the gun is via radio frequency (900 MHz). However, today, a lot of devices use this frequency. «It would be a shame if the gun could not fire because a grandmother is chatting on her mobile phone at that time!» imagines the hacker amusing himself. Afterwards, the hacker made a 900 MHz transmitter for relatively the same amount in order to create interference with the gun and prevent the transmission of the authorization signal from the watch. This technique seems to work 100% up to 3 meters and sometimes up to 10 meters depending on the orientation of the gun.

It isn’t necessary to use the watch for firing

Finally, the hacker attacked the use of the firearm without the authorization of its owner or without the need for the watch. The gun is locked by means of an electromagnet system. A ferrous material locks the gun cocking hammer when it is not in use. When the watch sends its authorization signal, the electromagnet is activated and attracts the ferrous material downwards, which unlocks the cocking hammer.

Locking mechanism of the cocking hammer by electromagnet ( source : DEF CON)

For safety reasons, it is sometimes preferable to separate the watch from the gun, for example if there are children in the house. However, it is also possible to hijack this protection by using a powerful magnet (the hacker uses 3 magnets N52 neodymium) on the gun. The magnet will then hold the electromagnet in the authorized firing position and the turn is played. The disadvantage of this method is it can also disturb the trigger which does not come back to the initial position.

The view of the experts


The CERTs give to these vulnerabilities a CVSS score of 10 according to the following criteria:


For the vulnerability involving the spreading of relay antennas
– Access vector: network
– Access complexity: medium
– Authentication: none
– Confidentiality: none
– Integrity: none
– Availability: complete


For the vulnerability allowing to carry out a denial of service
on the gun
– Access vector: network
– Access complexity: medium
– Authentication: none
– Confidentiality: none
– Integrity: none
– Availability: complete

For the vulnerability allowing to operate the gun with an
electromagnet
– Access vector: local
– Access complexity: low
– Authentication: none
– Confidentiality: none
– Integrity: none
– Availability: complete