Researcher Exposes “Smart Gun” Flaws
August 3, 2017
According to one security researcher, the controversial Armatix IP1 “smart” pistol is loaded with problems. In an exclusive piece published last week by Wired, Colorado-based white hat hacker, Plore, outlined several serious security vulnerabilities that affect the IP1 and its ability to function. For those of us who have followed the development of so-called “smart guns” here in the US, the fact that the IP1 has major issues isn’t necessarily surprising. What is alarming is the simplicity of the exploits that Plore managed to identify, which undermine not only Armatix’s product, but radio frequency (RF) smart guns as a whole.
Before we dig into the meat of Plore’s findings, there’s a problem with the Wired article that I feel needs to be addressed. Though he mentions gun owner opposition to smart guns at least twice, author Andy Greenberg wholly fails to address the dominant reason for that resistance. In 2002, New Jersey lawmakers passed the New Jersey Childproof Handgun Law. Under this law, the release of the first commercially-viable “smart gun” will open a three-year window, after which all handguns sold in the state must feature “smart” technologies. Not only does the law seek to limit new handgun options in the Garden State, but it also prohibits the transfer of traditional handguns following the three-year adoption period, including those already in private hands. Greenberg’s conspicuous omission of these details while noting gun owner opposition to smart guns paints an incomplete, perhaps biased picture of the issue.
As readers probably have noticed, RF devices are the “in” thing for all sorts of tech. They require little to no power to operate and are reasonably reliable. These days, you can pay at a register with your cell phone, unlock doors, and even pay highway tolls using RF devices. RF devices make life easier for millions of people every day. They also have no real business inside something that needs to work perfectly 100% of the time, like a firearm. As Plore’s work shows, one of RF’s most glaring weaknesses is that it can be easily jammed. By merely broadcasting a 900 Mhz signal (like the type used by many cell phones) that roughly matches the frequency used by the IP1’s watch, he managed to disable the firearm from several feet away. For gun owners, this is a major – and predictable – problem. The fear has always been that RF-based smart guns could be remotely disabled. It seems those worries were not misplaced.
Moreover, RF provides no real form of authentication. As Plore’s work shows, there’s nothing stopping someone from capturing the RF signal from the IP1’s control watch and retransmitting it from any device. The signal does nothing to prove that the wearer is authorized to use the firearm. Encryption wouldn’t help, either. The contents of the communication between the watch and the gun are irrelevant. A simple replay of the signal from any RF-enabled device unlocks the firearm. While advocates of smart guns have argued that the technology prevents unauthorized users from firing the weapon, that’s not entirely true as products like the IP1 have no means to identify the user.
The weaknesses of RF aside, as an electromechanical device, the IP1 must, at some point, translate the electronic signals from the RF reader to physical actions that either allow the gun to function or prevent it from firing. In the case of Armatix’s product, successful activation causes an electromagnet to move a small plug away from the firing pin. That’s why Plore could use a magnet to fire the gun. End users can freely remove this part, bypassing the RF features altogether. Similar overrides will inevitably plague all similar products, too. Since the technology is not inherent to the core function of the gun, “smart” features will always be electronic add-ons to what is otherwise a relatively simple mechanical device. It’s not like we’re using energy weapons here. Much like today’s magazine safeties, the controls inside guns like the IP1 can be circumvented by removing the relevant parts.
Ultimately, Armatix’s real issue is that they simply don’t understand the American market. This shouldn’t be surprising. In Germany – Armatix’s homeland – gun ownership is far less common, firearms are more expensive, and concealed carry is effectively non-existent. Even if the IP1 worked perfectly and New Jersey lawmakers hadn’t passed the smart gun mandate, Armatix would still be left trying to convince American buyers to purchase an underpowered, $1,200 rimfire handgun when viable alternatives are available for a fraction of that price. It isn’t that gun owners are categorically against smart guns. They’re just doomed to be overly complicated, unreliable, and easy to circumvent – and expensive to boot. A person could walk into any U.S. gun store and buy a Ruger SR22 along with a Gunvault biometric safe for less than $600 combined, both of which would be more reliable the IP1 (the biometric safe would also offer true user authentication via fingerprints). With that in mind and considering the failures of the IP1, it’s really no surprise that Armatix is struggling.
An information security professional by day and gun blogger by night, Nathan started his firearms journey at 16 years old as a collector of C&R rifles. These days, you’re likely to find him shooting something a bit more modern – and usually equipped with a suppressor – but his passion for firearms with military heritage has never waned. Over the last five years, Nathan has written about a variety of firearms topics, including Second Amendment politics and gun and gear reviews. When he isn’t shooting or writing, Nathan nerds out over computers, 3D printing, and Star Wars.