Gone in Less Than 60 Seconds: Why the Automotive Industry Needs to Get up to Speed with Security

Written by

The chances are you’ll have seen someone with a Mitsubishi Outlander PHEV. It’s one of the most popular hybrid SUV’s in the UK but it’s also a good example of how the automotive industry can get it wrong when it comes to manufacturing ‘connected cars’.

As with many security vulnerabilities in connected and IoT devices the Outlander could be hacked because of a series of small issues, not one big glaring error. Firstly, having a Wi-Fi access point in the car creates a direct connection, making it easier to perpetrate attacks such as MitM. Secondly, the pre-shared key (PSK) was not as strong as it could have been, comprising four lowercase alpha characters plus six numeric digits (and is written in the owner’s manual).

The hack itself doesn’t affect driver safety at the wheel. However, it did provide complete control over the heating, air conditioning, headlights, charging function and alarm, all of which could be subverted. The Mitsubishi Outlander PHEV pairs directly with the app from the car’s own Wi-Fi access point, rather than over GSM. This means that acquiring the SSID and the PSK would allow the hacker to instruct the car to charge at peak times, or not charge at all, and that the alarm could be deactivated. This means that an attacker could be much stealthier at breaking-in, and it also gives access to the car’s on-board diagnostics port (OBD) – a potential vector to attack the car’s systems via the CAN.

Cracking the PSK would take around four days on a creaky old GPU rig, or a few hours on a faster £4000 rig where multiple keys can be cracked, but what if you were operating this hack on a commercial basis? These vehicles are worth £40,000+ and if a compromise is assured that would make these a prime target for a steal-to-order criminal gang. It would then be worth parting with the £1000 needed to crack these PSKs instantaneously with a really high power setup such as AWS. Your car could quite literally be gone in less than 60 seconds, particularly given that it can be located using geolocation sites. We pinpointed the location of some of the 22,000 vehicles across the UK using the war driving site WiGLE.net.

The Mitsubishi compromise could be a costly lesson for the manufacturer. While the app has the ability to push new firmware to the Wi-Fi module that’s only a short-term fix; the Wi-Fi access point to client connection method really needs to be reengineered. Will this see a full product recall? Only time will tell. At present the only option for the driver is to disable access under ‘Settings’ and ‘Cancel VIN Registration’ in the mobile app when it is paired with the car. This effectively puts the Wi-Fi module into sleep mode. 

Mitsubishi have done the right thing in incorporating an OTA update function, but that’s not necessarily fool proof. Only last week Toyota issued an update for Lexus that went badly wrong, crippling satnav and entertainment systems and resulting in the blue screen of death. Granted, that wasn’t a security issue, but drivers found the only solution was to resort to that old helpdesk mantra – turn it off and then on again – not good practice if you’re busy driving.

They claimed the fault was due to a “faulty application” which brings us into the murky realms of malware and even ransomware. Why go to the trouble of stealing a car if you could simply disable it or change the alarm and extort money to give the driver back control?

Also, there’s the issue of disclosure to consider. Often, big manufacturers are reluctant to acknowledge the vulnerability of their applications when security testers responsibly disclose. That’s a short step away from going down the plausible deniability route that got VW into such hot water over the emissions scandal. If manufacturers don’t now demonstrate they a) welcome disclosure and have channels in place to deal with this and b) publicly show they take these issues seriously and act to rectify issues then inevitably consumer confidence in these leading brands will suffer.

The Mitsubishi, Nissan and Jeep compromises all suggest there remain very real security issues and that the automotive industry needs to address security testing of the app as well as the in-car systems and those software updates also need testing. Given that our cars are going to communicate even more in the future, with IoT sensors in our smart cities, it’s imperative we get this right now to stop the hacker getting into the driving seat.

What’s hot on Infosecurity Magazine?