Security researchers have found a flaw in the Mitsubishi Outlander that could allow car thieves to switch off the car's alarm.
The researchers at Pen Test Partners discovered that the plug-in hybrid vehicle's Wi-Fi module could be accessed by anyone within the range of the car just be using a smartphone.
It was discovered that the car used a wireless module instead of a GSM one used in other similar cars. The module allows access to the car via an app. This wireless access point uses a Wi-Fi pre shared key which is written on a piece of paper included in the owners' manual. The researchers cracked the code using a 4-GPU cracking rig in less than 4 days.
“A much faster crack could be achieved with a cloud hosted service, or by buying more GPUs,” said the researchers in a blog post.
Once the wireless point was accessed, the researcher carried out a man-in-the-middle attack so that messages from the mobile app could be replayed. In doing so, the researchers managed to switch the car's lights off and on.
“We messed around with the charging programme, from which we could force the car to charge up on premium rate electricity,” the researchers said. “We could also turn the air conditioning or heating on/off to order, draining the battery.”
Ultimately, the researchers managed to disable the car alarm.
The researchers said that as a short-term fix, all mobile devices connected to the car's access point should be unpaired.
“Once all paired devices are unpaired, the Wi-Fi module will effectively go to sleep. It cannot be powered up again until the car key remote is pressed ten times. A nice security feature,” said the researchers.
A longer term fix, according to the researchers would be to have a more secure GSM module fitted, but the researcher admitted this would probably involve a recall of vehicles.
The researchers said that when they tried to disclose the problem to Mitsubishi, they were “greeted with disinterest”. It was only the involvement if the BBC that helped in getting attention.
Richard Kirk, senior vice president at AlienVault, told SCMagazineUK.com that one has to ask why the app developers did not fully explore all the potential attack vectors, including a visible wifi access point, which is like leaving a back gate open
“Mitsubishi, like all car manufacturers, should involve their security teams during the design and development of their in-car app services, and perhaps consider employing a security monitoring managed service to be able to detect unusual behaviour,” he said.
Justin Harvey, chief security officer at Fidelis Cybersecurity, told SC that while it's surprising that these vulnerabilities were not detected by Mitsubishi beforehand, both consumers and enterprises must evaluate the risks of Internet of Things (IOT) devices before implementing them.
“The physical nature of these ‘things' represent a kinetic danger to the real world and, in reality, they can could cause an accident or a serious injury. While no damage has been done on this occasion, there is no doubt that similar vulnerabilities will be detected in the years to come,” he said.