For Second Amendment rights fans, the American Rounds’ Automated Ammo Retail Machine (AARM) sounds like a dream: an AI-secured vending machine where you can buy ammo for your guns, installed right inside the supermarket where you already shop for regular necessaries like food, beer and, perhaps, first aid kits.

But everyone else may remember we’re in an era of ubiquitous and aggressive hacking, where everything seems to be a target for some malicious coders–even hospitals that are working to save people’s lives. And anyone who’s already questioned if AARM is a sensible 21st Century innovation or a horrifying dystopian mistake will get an extra chill when they hear a cybersecurity expert has already pointed out that the machines could be hacked.

FEATURED VIDEO An Inc.com Featured Presentation

AARMs may indeed be convenient for the gun-owning public–they transform the irksome business of going to a store and actually asking a real human being for the right kind of ammunition into an 21st-century interaction not much more complex than buying a frosty can of Coke from a soda machine. That’s kind of the point: American Rounds says its goal is to make ammo buying “accessible 24/7,” ensuring that customers can buy ammunition on their “own schedule, free from the constraints of store hours and long lines.” This convenience comes at potential expense of security, so American Rounds built in AI systems to make sure only people who can legally buy ammo can use the machines. Measures include card scanning and facial recognition software so the smart boxes can “meticulously verify the identity and age of each buyer” before spitting out a box of .45 caliber rounds.

That digital system is exactly what has cybersecurity expert Andrew Whaley worried. Whaley, a senior technical director at security software vendor Pronom, told the news site Business Insider that the idea that hackers would try to attack the AARM machines was a simple truth. It’s just a broader “attack surface” for cybercriminals to aim at, just like any new digital service that retailers have embraced, Whaley said.

There are many routes to a hack: First, hackers could try a direct attack, exploiting coding errors in the machines’ setup to bypass security measures like face recognition and thus buy ammunition without scrutiny. There could also be other less obvious bugs in the system that could be accidentally or deliberately exploited, which means the machines could “theoretically deny legitimate transactions or, more dangerously, permit illegal ones,” according to Whaley. A famous example of this sort of error from early days of hacking is “phone phreaking,” where hackers figured out how to reverse-engineer systems built into the phone network to get themselves free calls–only in the case of AARM this would translate to free bullets. The thing to remember is that no digital security system is 100 percent perfect, and that cybersecurity is an ongoing journey, not a fixed destination: American Rounds will have to meticulously update security measures for the AARM machines to keep them protected from new cyber threats as they arise, and those threats pop up on a daily or even hourly basis, particularly in an era when we know groups of AIs can find and exploit digital security flaws faster than people.

That’s a lesson for any business, particularly if your small team doesn’t have much cybersecurity expertise. And it’s especially important when seen in the context of recent hacking and ransomware attacks, plus when you learn that a hacker recently published an archive of some 10 billion–that’s billion with a giant B–passwords and login credentials, in what may be the biggest such password leak ever. Cybersecurity experts are concerned this archive may lead to all sorts of crimes, from identity theft to fraud and data breaches, Quartz reports.