Mitsubishi Outlander Just The Latest 'Smart' Car That's Trivial To Hack And Control

from the not-so-smart dept

Yet another vehicle heavily advertised as being “smart” has proven to be notably less secure than its older, dumber counterparts. This week, researchers discovered that flaws in the Mitsubishi Outlander leave the vehicle’s on-board network vulnerable to all manner of hacker attack, allowing an intruder to disable the alarm system, drain the car’s battery, control multiple vehicle functions, and worse.

The app for most “smart” vehicles connects to a web-based service hosted by the manufacturer. This service in turn connects to a GSM module inside of the automobile, letting a user control the vehicle from anywhere. While convenient, this has proven to be problematic when poorly implemented — something Nissan recently discovered after the company failed to implement any real authentication, letting an attacker use the Leaf app to track a driver’s driving behavior, physically control the Leaf’s heating and cooling systems, and drain the car’s battery.

Analysis of the Mitsubishi Outlander’s security flaw found that Mitsubishi did things differently, requiring users connect to an on-board Wi-Fi hotspot before controlling the vehicle using the associated app (presumably to save money on an online hosting service). But the researchers found that the Wi-Fi key was relatively trivial to hack:

“The Wi-Fi pre shared key is written on a piece of paper included in the owners’ manual. The format is too simple and too short. We cracked it on a 4 x GPU cracking rig at less than 4 days. A much faster crack could be achieved with a cloud hosted service, or by buying more GPUs.”

Given the embedded access point has a unique SSID, an attacker can use public resources like Wigle.net to easily geolocate any Outlander PHEVs they might like to target. With the PSK and the SSID, the security firm was able to compromise the remainder of the car’s rudimentary security using a man-in-the-middle attack to sniff the traffic flowing between the car and the app. Once inside, researchers noted that like the Leaf hack they could drain the car’s battery, turn various vehicle functions on and off, and turn off the alarm. But they also note the vulnerability goes much deeper than with the Leaf:

“Once unlocked, there is potential for many more attacks. The on board diagnostics port is accessible once the door is unlocked. Whilst we haven’t looked in detail at this, you may recall from a hack of some BMW vehicles which suggested that the OBD port could be used to code new keys for the car. We also haven’t looked at connections between the Wi-Fi module and the Wi-Fi module and the Controller Area Network (CAN). There is certainly access to the infotainment system from the Wi-Fi module. Whether this extends to the CAN is something we need more time to investigate.”

Like with so many vulnerabilities, the researchers say that when they brought the problem to the attention of Mitsubishi, the company showed “disinterest” in a dialogue. At least until they contacted the BBC, at which point Mitsubishi got chatty:

“Initial attempts by us to disclose privately to Mitsubishi were greeted with disinterest. We were a bit stumped at this point: As so often happens, the vendor takes no interest and public disclosure becomes an ethical dilemma. So, we involved the BBC who helped us get their attention. Mitsubishi have since been very responsive to us! They are taking the issue very seriously at the highest levels.”

We’ve noted for a few years now that in-car security — as with most products on board the “internet of things” hype train — is aggressively atrocious. And it’s not really clear it’s getting any better despite several government warnings and bad press. Many car manufacturers still aren’t quick to respond to disclosures, and even if they can, they often take far too long to patch problems when found. That’s of great benefit to government, private or criminal entities that surely appreciate the easy new way to spy on, stall or even potentially kill via methods most police departments likely don’t have the chops to adequately investigate.

Filed Under: , , , ,
Companies: mitsubishi

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Mitsubishi Outlander Just The Latest 'Smart' Car That's Trivial To Hack And Control”

Subscribe: RSS Leave a comment
12 Comments
Anonymoussays:

Re:

consider those 4 days as “advance preparation” for stealing a car. You don’t even need to be near the car to find it out.

Since the key is computed from the WiFi SSID, you can use publicly accessible wireless SSID databases (e.g. https://wigle.net/ or similar) to look for car-specific WiFi SSIDs, compute the wireless key in advance, even from halfway around the world, then just send a goon squad armed with that pre-computed key and steal the car in less than 2 minutes.

Anonymoussays:

It’s no surprise that Mitsubishi wasn’t interested until the press got involved, like most of the internet of things auto makers have shown little interest in actually securing their products and would rather push heavily for legislation that makes it illegal for people to work on their own vehicles or to tinker with the onboard computers. They feel that is good enough and of course then they won’t have to spend money for security. Which is insane and short sighted but unfortunately that’s their mindset now and I think it’s going end up taking some bad guys hacking into vehicles and causing a few large accidents before they are finally forced into dealing with it and putting in real security.

Anonymoussays:

Just give me a plain old vehicle with no smarts to it at all. Seems they are the most secure.

While I’m at it, forget the IoT since none of the makers have time for security during the programming to create these toys. I want something that when I buy it, like a thermostat for instance, continues to work until it is worn out. Not when the maker decides it will no longer support the product and force you to purchase a new replacement. As far as I am concerned, I want something that just works and not connected to the internet or wifi is a plus when it comes to features.

Spaceman Spiffsays:

It's all cost and time to market

Security is hard. Good security is really hard. Just ask Bruce Schneier. It costs money, and takes a lot of time and development resources to get it right. Car companies, and others, are pressured to get these products to market quickly, so security is given short shrift, to the detriment to their customers. At the least, they could provide an OFF switch to disable all remote internet or other wireless access other than the hardware key that the driver has to have on their person in order to get into or lock the vehicle. I think I will keep my ’99 Camry until it falls apart. 250,000 miles and it still runs like a Swiss watch, burns no oil, and gets 25 city and 30+ mpg on the highway.

lazbosays:

Don't give them more ideas

“That’s of great benefit to government, private or criminal entities that surely appreciate the easy new way to spy on, stall or even potentially kill via methods most police departments likely don’t have the chops to adequately investigate.”

Chops? The police are undoubtedly champing at the bit to use the exploit. Imagine, no more high speed chases; just hack into the fleeing car and take control.

Skeetersays:

Smart Car Oxymoron

From ’24/7 connected’ cars that offer you almost all the computing convenience of home, to self-driving cars that (apparently) most politicians want to license sight-unseen, because some billionaire promised them a few campaign dollars; it’s easy to see this deep ‘profit-pool’ of low-hanging criminal fodder, combined with the opportunity to indiscriminately kill thousands through unproven tech.

The next time someone wants a ‘self-driving’ car, ask them ‘and when’s the last time you found an error on your GPS, because that’s what ‘drives’ a self-driving car?’

naschsays:

Re: Smart Car Oxymoron

The next time someone wants a ‘self-driving’ car, ask them ‘and when’s the last time you found an error on your GPS, because that’s what ‘drives’ a self-driving car?’

You know they have cameras and others sensors, and don’t just rely on GPS, right? Your self driving car might take you to the wrong place because of a GPS error, but it’s not going to drive you into a lake because of one.

Leave a Reply to lazbo Cancel reply

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it