Security researchers have suggested that Mitsubishi recall at least 100,000 cars after discovering an exploit that lets hackers unlock the vehicles and even drain their battery.
Experts at Pen Test Partners discovered that the Mitsubishi Outlander plug-in hybrid electric vehicle (PHEV) SUV has a serious vulnerability that could give hackers access to a number of car controls, like the lights, heating, and unlocking system.
“We noticed that the mobile app had an unusual method of connecting to the vehicle so we bought one to investigate,” writes the team.
Usually, remote control apps – ones that locate a car, flash headlights, or lock remotely – work using a web service that’s hosted by the car maker or a service provider. This connects to the vehicle using GSM to a module on the car, which means you can communicate with the vehicle over mobile data from pretty much anywhere.
But the Outlander PHEV uses a different method. Instead of featuring a GSM module, there’s a Wi-Fi access point on the car. That means that to connect to the car, users are forced to disconnect from other Wi-Fi networks and join the vehicle’s access point.
“I assume that it’s been designed like this to be much cheaper for Mitsubishi than a GSM/web service/ mobile app-based solution,” the researchers write, describing the existing method as a “massive disadvantage to the user”.
The problem is that the system hasn’t been implemented securely, according to researchers:
“The Wi-FI pre-shared key is written on a piece of paper included in the owners’ manual. The format is too simple and too short. We cracked it on a 4x GPU cracking rig in less than four days. A much faster crack could be achieved with a cloud-hosted service, or by buying more GPUs.”
The researchers were able to acquire both the SSID and the PSK for the car, giving them access to various vehicle controls:
“After figuring out the binary protocol used for messaging, we could successfully turn the lights on and off. Next, we messed around with the charging programme, from which we could force the car to charge up on premium electricity.”
They were even able to turn the air conditioning and heating on to drain the battery, and even disable the car alarm. Yes, the researchers were able to sit inside the car without ever having used a legitimate unlocking method.
Related: Apple Car
To make matters worse, the researchers say that Mitsubishi was reluctant to investigate. They claim that the firm only became interested once reports appeared in the press.
“Initial attempts by us to disclose privately to Mitsubishi were greeted with disinterest. We were a bit stumped at this point: As so often happens, the vendor takes no interest and public disclosure becomes an ethical dilemma. So, we involved the BBC who helped us get their attention. Mitsubishi have since been responsive to us!”
Apparently Mitsubishi is now “taking the issue very seriously at the highest levels”, and a medium-term fix is currently in development. This will likely come in the form of a software patch.
Check out the hack video below:
How to fix Mitsubishi Outlander exploit
The researchers suggest the following steps as a short-term fix:
- Go to car and connect your mobile phone to access point
- Using app, go to ‘Settings’ and select ‘Cancel VIN Registration’
- Once all paired devices are unpaired, the Wi-Fi module will effectively “go to sleep”
- The Wi-Fi module cannot be powered up again until the car key remote is pressed ten times
Note that this will render your mobile app useless, but it will “fix” the security vulnerability. For a full fix, Mitsubishi will need to re-engineer the entire connection method – which could require a recall.
Ford Interview: The Future of Autonomous Cars
Do you worry about your car being hacked? Let us know in the comments.