Security researchers say that the unusual way in which Mitsubishi’s Outlander hybrid electric vehicle connects to its app leaves the vehicles susceptible to hacking.
Reported by the BBC, the security experts at Pen Test Partners (PTP) say that the battery on the vehicle can be remotely discharged, and that the entire alarm system could be disabled, if the hacker knew what they were doing.
Perhaps worse than either of those, however, the weakness allows the intruder to easily locate any other Outlander PHEV to a worryingly precise location.
PTP says that while most car’s systems use GSM to communicate with the counterpart mobile app, Mitsubishi’s uses Wi-Fi, which not only makes it less useful than a GSM connection (you need to be in range of the car) but also less secure.
“The Wi-Fi pre shared key is written on a piece of paper included in the owners’ manual. The format is too simple and too short. We cracked it on a 4 x GPU cracking rig at less than four days. A much faster crack could be achieved with a cloud hosted service, or by buying more GPUs.”
Capturing the authentication handshake was trickier, but entirely possible, which led them to be able to switch off the alarm. That’s bad for obvious reasons, but it also means that if someone knows how to disable an alarm and open a car, even more of the vehicle’s functionality will be exposed to the hacker.
“Once unlocked, there is potential for many more attacks. The on board diagnostics port is accessible once the door is unlocked. Whilst we haven’t looked in detail at this, you may recall from a hack of some BMW vehicles which suggested that the OBD port could be used to code new keys for the car.”
In the short term, PTP suggests connecting your phone to your Outlander PHEV and making use of the ‘Cancel VIN registration’ option until the problem has been fixed by new firmware or an entirely new system.
We’ve contacted Mitsubishi and will update this post if we hear back.
Update: Mitsubishi has responded with the following comments:
- This hacking is a first for us as none other has been reported anywhere else in the world
- We take this matter very seriously and are very much willing to initiate a dialogue between Mr. Munro’s team and our own specialists in Japan to better understand & solve the issue
- Whilst obviously disturbing, this hacking only affects the car’s app, therefore with limited effect to the vehicle (alarm, charging, heating) – it should be noted that without the remote control device, the car cannot be started and driven away.
- At this early stage, until further technical investigation, we would recommend our customers to deactivate the WiFi using the ‘Cancel VIN Registration’ option on the app, or by using the remote app cancellation procedure