Monday, April 29, 2013

Hack the Gun

I'm no firearms expert (by any reasonable measure), which is why I leave most of the gun geekery to those that know better.  But there's a new gun about to be introduced where my (computer security) expertise is on target.  Fingerprint technology to control who can fire a gun:
Miller is hoping he can begin production on his version of a smart gun within the next two months. His company has been working on it for 10 years, and has relied solely on private investments to date. The company hopes to get additional funding to create an updated prototype that would be available to gun manufacturers, and for retail in the form of a retrofit kit, within the next year.

Columbus, Ga.-based SGTi's technology uses relatively simple fingerprint recognition through an infrared reader. The biometrics reader enables three other physical mechanisms that control the trigger, the firing pin and the gun hammer.

Miller declined to detail how they work, saying it would expose his company's intellectual property.
Oh hells no.

The analysis to go though is concerning "failure modes" - when (not if) the fingerprint reader fails, how specifically does it fail?.  The simplest analysis is whether it fails open or fails closed:
Fail Open: the gun is fully functional even without the fingerprint reader working.  The owner can still shoot it, but so can anyone else.  IOW, you got no steenkin' security.

Fail Closed: the gun is disabled when the fingerprint reader is not working.  Joe Shmoe can't use it, but the owner can't, either.
If I had to have one of these, I'd prefer the fail open variant.  For example, if the battery died, you could still use it to protect yourself in an emergency.  The downside is that if Sumd00d steals your heater, all he has to do is remove the battery.  But it's still better than being in a jam and having an expensive paperweight because it failed close.

More subtle failure modes are false positive and false negative:
False Positive: the fingerprint system incorrectly identifies a legitimate user as a non-legitimate user, and refuses to fire.

False Negative: the fingerprint system incorrectly identifies a non-legitimate user as a legitimate one, and allows the gun to fire.
Again, were I forced to choose, I'd rather have something heavy on false negative.  If I were in a jam and needed to protect myself, I'd hate to find that I had an expensive paperweight because it miscalculated ZOMG ur a Bad Guy!!!eleventy!

Of course, life isn't as simple as all this, and so the actual failure modes will be an interesting mix of fail open + fail closed + false positive + false negative.  Complexity is not generally considered A Good Thing in security, and this won't be a happy situation.

And now comes the fun bit - the smart Bad Guys will start to figure out how to make this system fail in "interesting" ways.  In other words, they'll hack the gun.  I quite frankly have no confidence in the manufacturer to have a solid security story because they refuse to explain how their security story works:
Miller declined to detail how they work, saying it would expose his company's intellectual property.
Yeah, I'll just bet it would.  But I'm sure that nobody there would ever name their child Robert');DROP TABLE Students;--


We keep seeing this sort of thing - people getting enamored of a technology without having the slightest idea how the overall system will work (or more importantly, not work).  Now maybe I'm being unfair, and maybe Safe Gun Technology, Inc. has a super studly computer security architect who has drunk deeply from the cup of Security Wisdom.  Sure.  Yeah, that'll do.

Note to Safe Gun Technologies, Inc.  Is gun.  Is not safe.  Even if your technology sort of works, is subtly not safe.

I will leave you with one of Eric Raymond's masterful programming Zen Koans, which illustrates this perfectly:
There was a novice who learned much at the Master's feet, but felt something to be missing. After meditating on his doubts for some time, he found the courage to approach Master Foo about his problem.

Master Foo,” he asked “why do Unix users not employ antivirus programs? And defragmentors? And malware cleaners?

Master Foo smiled, and said “When your house is well constructed, there is no need to add pillars to keep the roof in place.

The novice replied “Would it not be better to use these things anyway, just to be certain?

Master Foo reached for a nearby ball of string, and began wrapping it around the novice's feet.

What are you doing?” the novice asked in surprise.

Master Foo replied simply: “Tying your shoes.

Upon hearing this, the novice was enlightened.
Hey, maybe there is an antivirus client for Safe Gun Technologies fingerprint reader.  That would be sweet.

5 comments:

  1. The reason I like guns is because they are simple mechanical devices powered by smokeless powder. The reason I don't like computers is because they're complex electrical devices powered by magic smoke.

    Keep my guns smokeless!

    ReplyDelete
  2. I'm a KISS fan... And I'd NEVER buy one of these... Having worked with 'fingerprint' tech, it's way to easy to break it, and worst comes to worst, they just chop off the applicable digit and presto... Sigh...

    ReplyDelete
  3. Nope. Waaaay too many failure and/or abuse points for me to ever willingly use one of these. Because that's just one step away from the things going wireless "for security updates" and the .gov deciding that for security reasons, they all need to be expensive paperweights. Nope. Not in my house.

    ReplyDelete
  4. I don't use my fingerprint scanner as my only means of logging into my Lenovo laptop. I sure wouldn't bet my life on it, and I worked for a big (as in 'the best') biometrics company in the world for awhile.

    ReplyDelete
  5. I can't tell you how many times the damn fingerprint scanner at work fails and I can't get in the door. It's almost a daily occurrence.

    Scan... Fail.

    Scan... Fail.

    Scan... Open.

    Yeah, I want a gun like that.

    PLUS, even if it did work it would only be good for a short time period because does anyone doubt that a thief with access to the hardware couldn't hack the thing to bypass the fingerprint scanner?

    ReplyDelete

Remember your manners when you post. Anonymous comments are not allowed because of the plague of spam comments.