Looks like Mitsubishi should have been paying more attention to last year’s Jeep hack.
Pen Test Partners (PTP), a UK-based penetration testing and security services provider, announced that it has completed a successful hack of the Mitsubishi Outlander PHEV hybrid that allowed them to shut off the vehicle's anti-theft alarm, in addition to several other services.
The initial breach was accomplished thanks to the way the vehicle’s mobile app connects to the car. On its website PTP said that most cars that have remote control apps for car location, operating headlights and remote locking use a web service hosted securely by the manufacturer or service provider. That service connects to the car using GSM. The Outlander PHEV, alternatively, connects via a Wi-Fi access point located within the vehicle. In order to connect to the car functions, we have to disconnect from any other Wi-Fi networks and explicitly connect to the car AP. From there, we have control over various functions of the car.
This means that if a hacker connects to the vehicle’s AP, he or she can take control of a variety of the car’s functions. This is exactly what PTP did.
What’s worse, the Wi-Fi passkey is written in the owners’ manual and uses a simple format that the firm found out in a brite force hack on a 4 x GPU cracking rig in less than 4 days. It would have been much faster using a cloud hosted service, or by buying more GPUs, PTP reported.
Once the hackers got access to the Wi-Fi handshake by de-authorizing the owner's cell phone from all other connections, it could connect to the car automatically. That was enough for the hackers to capture the code. That gave them access to SSID in addition to the PSK. Using a man-in-the-middle attack, in which the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other, PTT "sniffed" the Wi-Fi connection. That gave them the rest of the information they needed to turn the lights on and off, change the electric car's charging program, turn AC on and off to drain the battery and, most egregiously, disable the anti-theft alarm. And now, they could discretely enter the car and get access to the on-board diagnostic port.
And that's the game, folks. The OBD port could be used to recode laser keys, and change any number of operational parameters.
PTP didn't look into connections between the Wi-Fi module and the Wi-Fi module or the Controller Area Network (CAN), but plans to investigate this further.
To repair these issues, owners should unpair all mobile devices immediately. Meanwhile, Mitsubishi needs to send out an OTA firmware update to fix the vulnerabilities in the Wi-Fi module. Apparently this fix is being worked on currently. Long-term PTP recommends a GSM module for better security.
PTP has reported that Mitsubishi is now working with them to fix the problem.
Edited by
Maurice Nagle
