Industry News

Lax security means hackers could steal your Mitsubishi Outlander

Source: www.mitsubishi-motors.com

If you’ve got a Mitsubishi Outlander hybrid electric car then you’ve also got a problem.

Security researchers at Pen Test Partners have discovered that the top-selling family SUV’s security is fatally flawed because of the unusual method that Mitsubishi used to connect the vehicle to its mobile app.

As researcher Ken Munro explains in a YouTube video, the Mitsubishi Outlander is unusual in that it comes with its own wireless access point to connect the owner’s app, rather than communicating via GSM.

“Most remote control apps for locating the car, flashing the headlights, locking it remotely etc. work using a web service. The web service is hosted by the car manufacturer or their service provider. This then connects to the vehicle using GSM to a module on the car. As a result, one can communicate with the vehicle over mobile data from virtually anywhere.”

Munro says he found it easy to crack the pre-shared key used to connect to the car, and his team were able to find a way of cracking the messaging protocol – showing they could force the car to turn on its lights, heating and air conditioning (potentially draining the battery) and even disable the theft alarm.

alarm-off

Source: Pen Test Partners

The fact that the vehicle’s alarm can be disabled is, of course, a considerable concern – especially as the researchers showed they could use the Wi-Fi search engine wigle.net to “easily” geolocate a car and track it. Such an ability is clearly a boon for car thieves.

The researchers informed the car manufacturer of the security flaw in the Mitsubishi Outlander, but initially failed to get a satisfactory response until the BBC took an interest in the issue.

Until a proper fix is available Mitsubishi Outlander owners are advised to unpair any mobile device they have connected to the car’s access point – effectively telling the vehicle’s Wi-Fi module to go into sleep mode. This is done by opening the app, going to “Settings” and selecting “Cancel VIN Registration”.

Mitsubishi has published details of how to delete the registration on this webpage.

delete-reg

This vulnerability is just the latest in a series of security flaws found in vehicles recently. Problems seen have included cars that could have their brakes disabled just by sending an SMS, Jeeps being commandeered remotely, and millions of GM cars vulnerable to remote exploitation via their onboard OnStar dashboard computer.

It’s clear that automobile manufacturers are racing to connect their vehicles to the internet in a bid to appeal to gadget-loving drivers, but that safety and security is not being treated as a priority.

As more and more cars jump on the Internet of Things bandwagon, it’s not just going to be the risk of remote control car theft that we are going to have to worry about. Our own physical safety is going to be an increasing concern too.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • It appears that manufactures dabbling with 'smart cars' are not getting pen testers to put these vehicles to the test (pardon the pun).

    They should stick to manufacturing cars and leave info-sec to the professionals.