A team of experts from the UK security firm Pen Test Partners has demonstrated that it is possible to remotely control some feature of the popular SUV Mitsubishi Outlander plug-in hybrid electric vehicle (PHEV).
The hackers have found a number of vulnerabilities that affects the mobile applications designed to control some features of the Mitsubishi Outlander PHEV. Differently from other cars, the Mitsubishi Outlander PHEV allows mobile applications (Android and iOS) to control some features of the vehicles only through a Wi-Fi connection.
“What’s really unusual is the method of connecting the mobile app to the car. Most remote control apps for locating the car, flashing the headlights, locking it remotely etc. work using a web service. The web service is hosted by the car manufacturer or their service provider. This then connects to the vehicle using GSM to a module on the car. As a result, one can communicate with the vehicle over mobile data from virtually anywhere.” states a blog post published by Pen Test Partners.
Experts speculate that Mitsubishi has adopted this communication system because it is cheaper than a GSM / web service / mobile app based solution. With this implementation the car manufacturer cut the GSM contract fees, hosting fees, and reduced the development cost.
The researchers focused their analysis on the way the mobile apps communicate with the vehicles. They discovered that the connectivity leverages on the Wi-Fi Protected Access Pre-Shared Key (WPA-PSK) security protocol. The experts spent less than four days to crack the communication, but they highlighted that it could be done almost instantly using $1,400 worth of cloud computing resources.
The hackers discovered that Pen Test Partners discovered that each Mitsubishi Outlander PHEV access point has a unique SSID, and all the SSIDs have a specific format. Ops … but this means that hackers can easily find the location of these SSIDs by using wireless network mapping services such as WiGLE.
The experts analyzed the binary protocol used for the communication between the mobile apps and the vehicle, then they launched a man-in-the-middle (MitM) attack in order to control a number of features of the Mitsubishi Outlander PHEV.
An attacker who is in the proximity of the SUV can control various functions, including the air conditioning, the lights, and even the alarm.
“Once unlocked, there is potential for many more attacks. The on board diagnostics port is accessible once the door is unlocked. Whilst we haven’t looked in detail at this, you may recall from a hack of some BMW vehicles which suggested that the OBD port could be used to code new keys for the car,” researchers explained. “We also haven’t looked at connections between the Wi-Fi module and the Wi-Fi module and the Controller Area Network (CAN). There is certainly access to the infotainment system from the Wi-Fi module.”
Waiting for a fix from the car vendor, users can unpair their mobile devices from the vehicle’s access point (Settings->Cancel VIN Registration). Then there are no mobile devices paired with the vehicle hot spot the Wi-Fi module goes to sleep and will only be re-enabled if the key remote is pressed ten times.
“Once all paired devices are unpaired, the Wi-Fi module will effectively go to sleep. It cannot be powered up again until the car key remote is pressed ten times. A nice security feature.
This has the side effect of rendering the mobile app useless, but at least it fixes the security problem.” continues the post.
(Security Affairs – Mitsubishi Outlander PHEV, car hacking)