“Smart” Guns Would Turn a Physical Fight into a Technological Fight

The Verge has a story about designers of “smart” guns being afraid to come forward with their designs because they believe us evil gun nuts will get them. While the story does attempt to make it appear as though their fear is well founded I’m betting their actual fear has nothing to do with gun rights activists and everything to do with criticism. Gun control advocates seem to think guns with built-in access control are the Holy Grail of restricting gun ownership. What they fail to understand is that baking access control into firearms turns a physical confrontation into a technological confrontation.

There isn’t an access control system on the planet that cannot be bypassed by unauthorized users. Access control systems are about raising the cost of gaining unauthorized access. If I put a shitty lock on my door the cost of bypassing it is pretty low but a quality lock raises that cost. But even the most effective of access control technologies, once unveiled to the public, falls under the onslaught of hackers. Access control technology for firearms is no different. Once it hits the market security experts will put it under a microscope and discover every way to bypass it. Some of the bypasses will allow unauthorized users to fire the gun and other bypasses will prevent authorized users from firing the gun.

Consider the Armatix iP1. It’s a .22 pistol that uses a wristwatch containing a radio-frequency identification (RFID) chip to authenticate the user. Gun control advocates have touted the iP1 as the answer to the “smart” gun question. But there is a critical flaw in the pistol’s design: it relies on a wireless signal for authentication. Wireless signals are convenient but they suffer from a notably critical flaw when looking at self-defense tool, they’re susceptible to jamming. If you have a powerful enough transmitter you can flood specific radio frequencies with enough noise that it severely degrades or completely prevents the communication capabilities of devices using those frequencies. Imagine being a police officer tasked with instigating violence against currently peaceful protesters. You plan to fire a couple of rounds into the crowd in the hopes chaos ensues so you and your friends can justify wholesale slaughter. But the protesters are smart and have been flooding the radio frequency your gun uses to authenticate and thus renders your firearm inoperable. The previously physical conflict became a technological conflict.

One of the reasons I’ve been skeptical of current access control proposals for firearms it that the names working on the technology aren’t well known in the security community. Security is hard and failing to implement proper security for a firearm access control system would render it useless. Does the iP1 RFID setup utilizes strong encryption for communications between the watch and pistol? Many RFID access control systems, especially earlier ones, didn’t utilize any encryption so it was trivial to intercept the authentication code and load it onto your own RFID chip. If cloning the authentication code stored in the watch is easy then the entire access control system is useless. And even if the system uses encryption the question becomes if the encryption is properly implemented. Many systems can be manipulated in such a way as they give up credentials (just think of every database breach that resulted in user names and passwords getting stolen).

Police departments and the military understand this issues, which is why they haven’t been on the bandwagon to adopt access control technologies for their weapons. If they did adopt such technology it would sudden turn the physical fight, which they’re very good at, into a technological fight, which they’re not very good at. In all likelihood the current crop of people developing access control technology for firearms know that their designs won’t hold up under scrutiny and therefore don’t their names attached to the designs. It’s much easier to claim that the evil gun nuts will come after them then to admit their designs have not underwent a security audit from a recognized auditor.