Mitsubishi Outlander Flaw Opens Door to Thieves—Literally

First it was Chrysler's 2014 Jeep Cherokee, the Tesla Model S and the Nissan Leaf. Now it’s a Mitsubishi Outlander that has been hacked. White hats gained access via an unsecure on-board Wi-Fi connection and were able to disable the anti-theft alarm, flash the lights, tweak its charging settings and drain the battery.

The Mitsubishi Outlander plug in hybrid electric vehicle (PHEV) is a big-selling family hybrid SUV. It has an electric range of up to 30 miles or so, plus a petrol range of another 250 or so miles.

The vulnerabilities were found by PenTest Partners, whose team noticed that the mobile app had an unusual method of connecting to the vehicle. With other connected cars, cloud services to manipulate vehicle functions connect to the car over mobile networks. The Outlander PHEV instead uses Wi-Fi.

The lack of mobile data means that users can only communicate with the car within Wi-Fi range—this offers support for when you don’t have a mobile data connection (for example, when traveling in remote areas)—and potentially, it’s a more secure state of affairs because remote hackers a county or a country away can’t interfere with the vehicles.

Unfortunately, PenTest found that the system had not been implemented securely, opening the door to a fairly straightforward man in the middle attack with deeply troubling ramifications.

At issue: For one, the Wi-Fi pre-shared key (PSK) is written on a piece of paper included in the owners’ manual. The format is too simple and too short, and easily crackable. Secondly, the researchers were able to fairly easily hijack the handshake between a mobile device and the Wi-Fi system. From there, the MITM attack could be initiated.

After figuring out the binary protocol used for messaging, they could successfully turn the lights on and off. Next, they played with the charging program, from which they could force the car to charge up on premium rate electricity. They could also turn the air conditioning or heating on/off to order, thus draining the battery. This is similar to the Nissan Leaf issues.

But the worst part was the enablement of physical theft of the car. The researchers were able to disable the theft alarm, and then unlock the car.

From there, the on-board diagnostics port is accessible once the door is unlocked.

“Whilst we haven’t looked in detail at this, you may recall from a hack of some BMW vehicles which suggested that the OBD port could be used to code new keys for the car,” PenTest researchers said in an analysis.

This issue is a good example of a failure to address security as part of the design from the beginning—an all too common reality in the internet of things world.

“Words like ‘recall’ spring to mind,” the researchers said.

Some of the design mistakes in this case defy common sense, some said, and in the long term, Mitsubishi should re-engineer the AP - client connection method completely. “One has to ask why the app developers did not fully explore all the potential attack vectors, including a visible Wi-Fi access point, which is like leaving a back gate open,” said Richard Kirk, SVP at AlienVault, via email.

Ken Munro, partner at PenTest, told Infosecurity that the most significant problem for vehicle manufacturers is the long development time required for a car.

“It can take years for a design to get to market,” he said. “Retro-fitting security late into a development cycle can be very difficult. Whilst auto manufacturers are taking security seriously, there will be a lag for showroom models to reflect their progress in security for the above reason.”

He added that there is also the question of auto manufacturers dealing with security researchers. It’s a new arena for them as well. For instance, attempts to disclose the issue privately to Mitsubishi were greeted with disinterest initially—but, after disclosure, the automaker is now working on new firmware.

“We are often viewed with suspicion and disbelief, yet most of us have good intentions,” he said. “The first significant disclosure that the manufacturer receives is often the most painful, as they have yet to develop their disclosure program.”

To combat these learning curves, it should go without saying that Mitsubishi, like all car manufacturers, should consider employing a security monitoring managed service to be able to detect unusual behavior. This should include monitoring of the Engine Control Units, infotainment systems and on-board networks to detect and mitigate any compromise.

“More and more car manufacturers are taking a ‘connected-first’ approach,” Matthias Maier, security evangelist at Splunk, said in an email. “For example, increasingly updates can be installed ‘over-air’, providing the customer with the opportunity to regularly improve their car’s performance and software, as well as monitoring the operation of those vehicles. [But] if those networks aren’t totally secure or isolated, an opportunity exists that hackers could exploit.”

To protect themselves in the short-term, users should un-pair all mobile devices that have been connected to the car access point. Once all paired devices are unpaired, the Wi-Fi module will effectively go to sleep.

Photo © Ovu0ng/Shutterstock.com

What’s Hot on Infosecurity Magazine?