Mitsubishi Outlander, a popular hybrid SUV sold around the world, can be easily broken into by attackers exploiting security weaknesses in the setup that allows the car to be remotely controlled via an app.
The weaknesses were discovered by Pen Test Partners, and include:
- The mobile app connects to the car through a Wi-Fi access point on it, instead via a web service and GSM module, making it impossible to use if one is not in range of the car’s wireless network.
- This wireless network’s Wi-Fi pre shared key is written on a piece of paper included in the owners’ manual, but its format is also too simple and too short, allowing attackers to crack it easily and relatively quickly.
- The car’s Wi-Fi access point has a unique SSID, but in a predictable format. This allowed the researchers to geolocate the various Outlanders throughout the UK.
After discovering the SSID and the pre-shared key, they connected to a static IP address within a network’s subnet, and this allowed them to sniff the Wi-Fi connection and send messages to the car.
Through these messages they were able to turn the car’s lights, air conditioning and heating on and off, change the charging programme and, most importantly, to disable the car’s anti-theft alarm.
“Once unlocked, there is potential for many more attacks. The on board diagnostics port is accessible once the door is unlocked. Whilst we haven’t looked in detail at this, you may recall from a hack of some BMW vehicles which suggested that the OBD port could be used to code new keys for the car,” they noted.
“We also haven’t looked at connections between the Wi-Fi module and the Wi-Fi module and the Controller Area Network (CAN). There is certainly access to the infotainment system from the Wi-Fi module. Whether this extends to the CAN is something we need more time to investigate.”
They have tried to get in touch with Mitsubishi and share these discoveries responsibly, but didn’t have much luck initially. Only after they made them public the company contacted them.
Mitsubishi is currently working on new firmware for the Wi-Fi module that should fix these flaws. Until they push it out, they advised owners to deactivate the Wi-Fi using the “Cancel VIN Registration” option on the app, or by using the remote app cancellation procedure.
“Whilst obviously disturbing, this hacking only affects the car’s app, therefore with limited effect to the vehicle (alarm, charging, heating) – it should be noted that without the remote control device, the car cannot be started and driven away,” the company pointed out, and added that they are willing to work with the researchers in order to understand and solve the problem.
For a long term fix, Mitsubishi needs to re-engineer the rather odd Wi-Fi AP – client connection method completely, the researchers advised.
“The problem is that any time you connect physical devices, objects or machines to the internet, you are taking the risk that these could one day be compromised due to vulnerabilities,” Justin Harvey, chief security officer at Fidelis Cybersecurity, told Help Net Security. “There is no doubt that owners of Mitsubishi Outlander hybrid cars will be reluctant to hit the road after this latest hack – at least until it has been resolved. Indeed, it’s not the first time we’ve seen hackers gain access to a car system; it’s reminiscent of the security vulnerabilities found by researchers in the Jeep Cherokee last year.”
“While it’s surprising that these vulnerabilities were not detected by Mitsubishi beforehand, both consumers and enterprises must evaluate the risks of Internet of Things (IOT) devices before implementing them. The physical nature of these ‘things’ represent a kinetic danger to the real world and, in reality, they can could cause an accident or a serious injury. While no damage has been done on this occasion, there is no doubt that similar vulnerabilities will be detected in the years to come,” he concluded.
“The Mitsubishi Outlander vulnerability is another example of why an identity centric approach to connected device management is essential in reducing risk and enhancing user experience,” noted Simon Moffatt, Director Advanced Customer Engineering at ForgeRock.
“As more and more objects join the Internet of Things, high-end items such as connected cars will become increasingly attractive targets for hackers. Whilst manufacturers focus on end user experience and device connectivity, there needs to be a more joined-up approach to security, including a strong focus on device, service and user identity management.”
“It is important that devices, such as a car or a mobile phone application, have individual identity profiles, with validated authenticated and authorised services, that can restrict the operations or data made available,” he added. Doing so allows Internet connected devices to confirm that the digital identity of the user and device is in fact fully aligned, and the right people are accessing the right services at the right time – making malicious activities more difficult.”