Wi-Fi hack disables Mitsubishi Outlander's theft alarm – white hats
Pre-shared key in owner's manual. Hmmm
Security weaknesses in the set-up of Mitsubishi Outlander leave the hybrid car exposed to hack attacks – including the potential for crooks to disable theft alarms.
The Mitsubishi Outlander plug-in hybrid electric vehicle (PHEV) is a top-selling family hybrid SUV. More than 100,000 of them have been sold worldwide, around 22,000 of those in the UK alone.
Security researchers at Pen Test Partners began investigating the security of the car after one of its consultants noticed that the mobile app had an unusual method of connecting to the vehicle.
Most remote control apps for locating the car, flashing the headlights, locking it remotely etc work using a web service hosted by either the car's manufacturer or its service provider. Drivers communicate through the GSM mobile network via mobile data to a module on the car.
The Outlander PHEV does it differently. Instead of a GSM module, the car comes outfitted with a Wi-Fi access point. Drivers need to disconnect from any other Wi-Fi networks and explicitly connect to the car Access Point in order to control car functions.
This means that drivers can only communicate with the car from within Wi-Fi range, a huge disadvantage.
Worse yet, Pen Test Partners (PTP) found that Mitsubishi had failed to implement the system securely.
The Wi-Fi pre-shared key is written on a piece of paper included in the owner's manual. The format is too simple and too short, so PTP was able to use brute force hacking techniques to crack the keys within four days. A more powerful rig or a cloud-based system could drastically reduce the time it would take to recover these crypto keys.
The access point has a unique SSID in the format: <REMOTEnnaaaa>, where "n" are numbers and "a" are lower case letters.
This meant PTP’s security boffins were able to search Wireless Geographic Logging Engine wigle.net and easily geolocate Outlander PHEVs, including several in the UK.
A thief or hacker can therefore easily locate a car that is of interest to them, Pen Test Partners warns.
Knowing the SSID and the associated PSK creates a means for attackers to mount all manner of attacks.
After running a man-in-the-middle attack, Pen Test Partners gained the ability to replay various messages from the mobile app. After working out the binary protocol used for messaging, the security researchers were able to successfully turn the lights on and off. the same approach allowed manipulation of the car electricity charging programme, forcing the car to charge up on premium rate electricity.
PTP further gained the ability to control the air conditioning and heating, draining the battery in the process.
After sending the correct message, with no further authentication than having cracked the Wi-Fi PSK, it was possible to turn off the alarm of the Mitsubishi Outlander.
Pen Test Partner’s Ken Munro commented: “Disable the alarm, prise the door or smash the window. Unlock the car. Nuts! This is shocking and should not be possible,” he added.
Once unlocked, there is potential for many more attacks against the car. The onboard diagnostics port is accessible once the door is unlocked, opening the door to all sorts of mischief. The full scope of potential malfeasance was beyond the scope of Pen Test Partners research.
In particular, the security researchers haven’t as yet looked at connections between the Wi-Fi module and the CANBUS. “There is certainly access to the infotainment system from the Wi-Fi module,” Munro explained. “Whether this extends to the CAN is something we need more time to investigate.”
Pen Test Partners passed on its research to Mitsubishi UK (when?) before going public. Mitsubishi told the security researchers that ‘did not consider it a problem’ and had no plans to resolve the issues PTP had unearthed. Munro expressed dismay at this response. “We had found a trivial route to disable the theft alarm of a vehicle, exposing it (or at least its contents) to theft,” Munro said. “It would not take long for someone rather less ethical to figure out the same hack and potentially share it with the vehicle theft community.”
Fortunately security conscious Mitsubishi Outlander owners can protect themselves from attack even without action by Mitsubishi. Owners can unpair all mobile devices that have been connected to the car access point, as a short term workaround.
“Once all paired devices are unpaired, the Wi-Fi module will effectively go to sleep,” Munro explained. “It cannot be powered up again until the car key remote is pressed ten times. A nice security feature.”
“This has the side effect of rendering the mobile app useless, but at least it fixes the security problem,” he added.
A longer term fix is in the hands of Mitsubishi and would involve pushing new firmware to the Wi-Fi module so the mobile app can be used without creating a security fix. In the longer term, Mitsubishi needs to re-engineer the rather odd Wi-Fi Access Point – client connection method completely, Pen Test Partners concludes.
Mitsubishi has published a fix, whereby the user "Delete[s] Registration", which also has the effect of turning off the Wi-Fi access point. The fix is half-way down this web page, under the heading "Delete Registration (Initialization Process)".
Pen Test Partners said it would be demonstrating the hack live on its stand at the Infosecurity Europe trade show.
Mitsubishi told The Register:
- This hacking is a first for us as none other has been reported anywhere else in the world.
- We take this matter very seriously and are very much willing to initiate a dialogue between Mr. Munro's team and our own specialists in Japan to better understand and solve the issue.
- Whilst obviously disturbing, this hacking only affects the car's app, therefore with limited effect to the vehicle (alarm, charging, heating) - it should be noted that without the remote control device, the car cannot be started and driven away.
- At this early stage, until further technical investigation, we would recommend our customers to deactivate the Wi-Fi using the "Cancel VIN Registration" option on the app, or by using the remote app cancellation procedure