Mitsubishi Outlander PHEV’s alarm can be hacked via Wi-Fi
Security researchers have hacked a Mitsubishi Outlander, one of the best-selling hybrid SUVs in the UK. Worryingly the hack enabled the researchers to disable the Outlander’s car alarm, and even do things like drain the battery and turn the car’s lights off and on.
Pen Test Partners, the security researchers that carried out the hacking, have explained exactly how the hack was performed on the company website, and it makes for a worrying read. Like many of the best hybrid cars around, the Mitsubishi Outlander has a counterpart app that allows you to check the status of the car and control certain functions. However, rather than GSM, this system uses Wi-Fi, and that connection wasn’t particularly secure.
Cracking the Outlander
The website goes on to say that the key to get into this Wi-Fi can be cracked “o
The website goes on to say that the key to get into this Wi-Fi can be cracked “on a 4 x GPU cracking rig at less than 4 days,” while a much faster crack can be achieved by using the cloud, or buying more GPUs. After that, the next step was to capture the handshake or connection process between the owner’s phone and the car. The researchers realised that most Outlanders would be parked outside their owner’s houses, so by kicking a mobile phone off an owner’s home Wi-Fi connection, the researchers were able to wait for it to find the car instead, and then capture the data exchange.
After getting the SSID and the PSK of the cars, the researchers were able to imitate an owner’s phone, and control several different functions. First, they were able to turn the lights on and off and use the air conditioning to drain the car’s battery – just like the Nissan Leaf hack, but they were also able to disable the car’s theft alarm.
The website reads: “So, we sat inside the car whilst being very still and locked it. Then, waving my arms around, it was clear that the alarm was off. I could then unlock the car using the handle on the inside of the door, without the alarm sounding”
What has Mitsubishi said?
The website says, “Initial attempts by us to disclose privately to Mitsubishi were greeted with disinterest… So, we involved the BBC who helped us get their attention.”
“Mitsubishi have since been very responsive to us! They are taking the issue very seriously at the highest levels.”
How to fix it
The researchers at Pen Test Partners have offered a short-term fix for the vulnerability, but it does mean the app will be useless for the time being.
- First, go to the car and connect your mobile phone to the access point on the car.
- Using the app, go to ‘Settings’ and select ‘Cancel VIN Registration’:
- Once all paired devices are unpaired, the Wi-Fi module will effectively go to sleep. It cannot be powered up again until the car key remote is pressed ten times. A nice security feature.
The researchers go on to say as a medium term solution, “new firmware should be deployed urgently to fix this problem properly, so the mobile app can still be used.” After that, the researchers say engineers will need to re-engineer the whole app completely.
A growing problem
First, we had the Jeep Cherokee, then the Nissan Leaf – and now the Mitsubishi. As much as car makers try and escape the issue, vehicles are getting more advanced, and that’s making them easier to hack. If auotomotive companies want us to embrace – admittedly useful – features like apps, they’ll need to make them as secure as the apps on our phones and computers.