Many electric and connected cars have proved to be hackable, and visitors to this year’s Infosecurity Europe got to see another example – the Mitsubishi Outlander; a plug in hybrid electric vehicle with a mobile app, usually used for locating the car, flashing the headlights and locking it remotely, which is enabled by a Wi-Fi access point on the vehicle.
Research by Pen Test Partners found that in order to connect to the car functions, you have to disconnect from any other Wi-Fi networks and explicitly connect to the car AP and from there, you have control over various functions of the car.
“This has a massive disadvantage to the user in that we can only communicate with the car when in Wi-Fi range,” said partner Ken Munro. “I assume that it’s been designed like this to be much cheaper for Mitsubishi than a GSM/web service/mobile app based solution. There’s no GSM contract fees, no hosting fees, minimal development cost.”
The research found that the system had not been implemented securely: the Wi-Fi pre-shared key was cracked on a 4 x GPU cracking rig in fewer than four days. By de-authing the mobile from the home Wi-Fi router continuously, there was a fair chance of it then connecting to the nearby car, at which point the handshake could be captured.
Tinkering with the mobile app, Munro and Pen Test Partners were able to successfully turn the lights on and off, alter the charging program, disable the alarm and turn the air conditioning or heating on/off, draining the battery.
Munro said that some of the design mistakes in this case “defy common sense”, and called on Mitsubishi to re-engineer the AP. Speaking to Infosecurity, Munro explained that the most significant problem for vehicle manufacturers is the long development time required for a car.
“It can take years for a design to get to market,” he said. “Retro-fitting security late into a development cycle can be very difficult. Whilst auto manufacturers are taking security seriously, there will be a lag for showroom models to reflect their progress in security for the above reason.”
He added that there is also the question of auto manufacturers dealing with security researchers. It’s a new arena for them as well. For instance, attempts to disclose the issue privately to Mitsubishi were greeted with disinterest initially – but, after disclosure, the automaker is now working on new firmware.
In a statement, Mitsubishi claimed this is the first time one of its vehicles has been hacked and that it is working “diligently” to investigate the problem. “The subject hacking has no effect on the ability of the consumer to safely start and drive the vehicle. Further, the vehicle’s immobilizer is unaffected. Accordingly, while the vehicle alarm could be turned off, the vehicle would remain locked and the car could not be started without the smart key remote control device.”
“More and more car manufacturers are taking a ‘connected-first’ approach,” Matthias Maier, security evangelist at Splunk said. “For example, increasingly updates can be installed ‘over-air’, providing the customer with the opportunity to regularly improve their car’s performance and software, as well as monitoring the operation of those vehicles. [But] if those networks aren’t totally secure or isolated, an opportunity exists that hackers could exploit.”
Justin Harvey, chief security officer at Fidelis Cybersecurity, said: “It’s not the first time we’ve seen hackers gain access to a car system; it’s reminiscent of the security vulnerabilities found by researchers in the Jeep Cherokee last year. The problem is that any time you connect physical devices, objects or machines to the internet, you are taking the risk that these could one day be compromised due to vulnerabilities.”
If connected cars are to be a part of the future, then this example shows that security has to be part of the equation. Munro said: “In the long-term, I think Mitsubishi should be taking this a lot more seriously than they have, it’s a very popular vehicle and there are loads on the roads in the UK and around the world and I really don’t think that this approach to security is acceptable.”
I asked Munro if he felt that the number of connected car hacking stories show a general failure of security to be part of the connected automotive process, and what could solve that. He said that car manufacturers are starting to get to grips with security (with some exceptions), but the issue is that of retro-fitting to existing vehicles on the road, plus those already past the design phase.
“It’s one thing starting on a brand new car design and building in security. That’s relatively straightforward,” he said. “Changing a design that is already getting close to production is hard work. How much of the system, wiring loom, interfaces, gateways etc. do you change? How much do you delay the vehicle launch by? Or do you try to ‘bolt on’ additional modules to offer extra security and deal with the cost increase?”
Munro said that for cars in the field, it’s a whole different ballgame, as manufacturers would have to decide whether to do an over the air fix, or a product recall, and could the car even support a fix?
“It’s a similar challenge to that with SCADA: old technology, it has worked fine for years, but now new attacks have emerged. Do you engage in a program of slow improvement, waiting for kit (cars) to end of life? Or do you tackle it head on and rip out (replace?) perfectly functional but rather insecure technologies?”
Later, Ken talked to me about some of the details that Pen Test Partners were still working on, and what had not been disclosed back in June. He said this was primarily in the way that the packets were intercepted, and the Service Set Identifier (SSID) which can be changed, but the pre-shared key cannot be changed. “This is the wrong way around”, he said. “It is something you don’t care about that you cannot change. The PSK is factory set and cannot be changed. We have got the time spent cracking the PSK down to two and a half days and we can sniff the handshake but do not need to be by the car.”
He said that the next stage of research was around gaining full control of the car, and he said that you do still need to be the car to capture the handshake, but once you have got the car's vehicle identification number (VIN), you are in.
Munro said that despite the media coverage of how insecure the connection between the mobile app and the car was, he had found that very few Outlander owners had switched the car’s wifi off. “You only need to be within range of the car’s wifi and if you can find a vehicle, either by using a national database or locate a parked car Google Streetview, you should be able to connect to it,” he said.
“The terms and conditions state that you are not able to remotely connect to the wifi, but it also states that you shouldn’t be able to disable the theft alarm.”
By stealing and cracking the Wi-Fi key, this allows an attacker to intercept and modify data and send Wi-Fi traffic without the mobile app. I asked him further about the packet capture, and he said that the commands had not been disclosed, nor had the content of the scripts used. Pen Test Partners were able to reverse engineer packets over the air, replayed it and reduced the findings over and over in order to find out which packets were causing that to happen.
“For example, a function to retrieve the door status was not displayed within the mobile app, and also a function to unlock the doors from within the car, but the capability is there as is a lot of functionality that doesn’t appear to be used by mobile app but is not implemented,” he said. “We are trying to make this succeed so we have full ownership of the vehicle.”
He said that current work on this project was in looking at fixes and further control of the car, and the next steps was in looking at the Controller Area Network (CAN), and there was a plan to unmount the body network control module and review further.
Speaking at the Steelcon conference in Sheffield in July, security researcher Chris Ratcliff said that “CAN is on its last legs and will be replaced by Ethernet”. He made a very valid point that car manufacturers are not going to go back and retro-fit everything that is on the road and when the hack on the Chrysler Jeep was publicised, they sent out a USB to every registered owner.
The reality is that fixing a car with an over-the-air patch is not easy, and apart from Tesla, which Ratcliff described as “a technology company that makes cars”, automotive companies will want users to buy a new car to fix a security issue.
Another researcher, Scott Helme, who looked at similar flaws in the Nissan Leaf along with Australian researcher Troy Hunt where Hunt was able to access the air conditioning and heating in Helme’s car from the other side of the world, said that in the case of automotive security research he doesn’t consider it to be hacking “as security is not built as one of the design roles”.
Is car hacking going to continue? Undoubtedly. Will car manufacturers take this seriously? I think it depends on whether a second model from Mitsubishi, Jeep or Nissan is researched. Is this going to change the way connected-device research and hacking is done? I think this is just the beginning.