Mitsubishi Outlander Just The Latest 'Smart' Car That's Trivial To Hack And Control
from the not-so-smart dept
Yet another vehicle heavily advertised as being "smart" has proven to be notably less secure than its older, dumber counterparts. This week, researchers discovered that flaws in the Mitsubishi Outlander leave the vehicle's on-board network vulnerable to all manner of hacker attack, allowing an intruder to disable the alarm system, drain the car's battery, control multiple vehicle functions, and worse.The app for most "smart" vehicles connects to a web-based service hosted by the manufacturer. This service in turn connects to a GSM module inside of the automobile, letting a user control the vehicle from anywhere. While convenient, this has proven to be problematic when poorly implemented -- something Nissan recently discovered after the company failed to implement any real authentication, letting an attacker use the Leaf app to track a driver's driving behavior, physically control the Leaf's heating and cooling systems, and drain the car's battery.
Analysis of the Mitsubishi Outlander's security flaw found that Mitsubishi did things differently, requiring users connect to an on-board Wi-Fi hotspot before controlling the vehicle using the associated app (presumably to save money on an online hosting service). But the researchers found that the Wi-Fi key was relatively trivial to hack:
"The Wi-Fi pre shared key is written on a piece of paper included in the owners’ manual. The format is too simple and too short. We cracked it on a 4 x GPU cracking rig at less than 4 days. A much faster crack could be achieved with a cloud hosted service, or by buying more GPUs."Given the embedded access point has a unique SSID, an attacker can use public resources like Wigle.net to easily geolocate any Outlander PHEVs they might like to target. With the PSK and the SSID, the security firm was able to compromise the remainder of the car's rudimentary security using a man-in-the-middle attack to sniff the traffic flowing between the car and the app. Once inside, researchers noted that like the Leaf hack they could drain the car's battery, turn various vehicle functions on and off, and turn off the alarm. But they also note the vulnerability goes much deeper than with the Leaf:
"Once unlocked, there is potential for many more attacks. The on board diagnostics port is accessible once the door is unlocked. Whilst we haven’t looked in detail at this, you may recall from a hack of some BMW vehicles which suggested that the OBD port could be used to code new keys for the car. We also haven’t looked at connections between the Wi-Fi module and the Wi-Fi module and the Controller Area Network (CAN). There is certainly access to the infotainment system from the Wi-Fi module. Whether this extends to the CAN is something we need more time to investigate."Like with so many vulnerabilities, the researchers say that when they brought the problem to the attention of Mitsubishi, the company showed "disinterest" in a dialogue. At least until they contacted the BBC, at which point Mitsubishi got chatty:
"Initial attempts by us to disclose privately to Mitsubishi were greeted with disinterest. We were a bit stumped at this point: As so often happens, the vendor takes no interest and public disclosure becomes an ethical dilemma. So, we involved the BBC who helped us get their attention. Mitsubishi have since been very responsive to us! They are taking the issue very seriously at the highest levels."We've noted for a few years now that in-car security -- as with most products on board the "internet of things" hype train -- is aggressively atrocious. And it's not really clear it's getting any better despite several government warnings and bad press. Many car manufacturers still aren't quick to respond to disclosures, and even if they can, they often take far too long to patch problems when found. That's of great benefit to government, private or criminal entities that surely appreciate the easy new way to spy on, stall or even potentially kill via methods most police departments likely don't have the chops to adequately investigate.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: connected cars, hacking cars, internet of things, outlander, smart car
Companies: mitsubishi
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
Since the key is computed from the WiFi SSID, you can use publicly accessible wireless SSID databases (e.g. https://wigle.net/ or similar) to look for car-specific WiFi SSIDs, compute the wireless key in advance, even from halfway around the world, then just send a goon squad armed with that pre-computed key and steal the car in less than 2 minutes.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
While I'm at it, forget the IoT since none of the makers have time for security during the programming to create these toys. I want something that when I buy it, like a thermostat for instance, continues to work until it is worn out. Not when the maker decides it will no longer support the product and force you to purchase a new replacement. As far as I am concerned, I want something that just works and not connected to the internet or wifi is a plus when it comes to features.
[ link to this | view in chronology ]
Re:
I'd say OBD-II counts as smarts, and that's been mandatory since 1996, so you can't have anything newer than that.
[ link to this | view in chronology ]
Re:
It's not the smarts that are the problem -- it's the connectivity.
[ link to this | view in chronology ]
It's all cost and time to market
[ link to this | view in chronology ]
Don't give them more ideas
Chops? The police are undoubtedly champing at the bit to *use* the exploit. Imagine, no more high speed chases; just hack into the fleeing car and take control.
[ link to this | view in chronology ]
Smart Car Oxymoron
The next time someone wants a 'self-driving' car, ask them 'and when's the last time you found an error on your GPS, because that's what 'drives' a self-driving car?'
[ link to this | view in chronology ]
Re: Smart Car Oxymoron
You know they have cameras and others sensors, and don't just rely on GPS, right? Your self driving car might take you to the wrong place because of a GPS error, but it's not going to drive you into a lake because of one.
[ link to this | view in chronology ]
[ link to this | view in chronology ]