Analysis

WiFi hack disables car alarm on Mitsubishi Outlander

7th June 2016
Joe Bush
0

There are ongoing concerns over security in the connected car, such as how much of a priority it is among automotive manufacturers, as well as how much these manufacturers actually know about hacking risks and connected car security.

Despite the fact that cars these days represent a hacking target, research has shown that other factors are higher on the priority list than security, and in fact, security is often not integrated into the automotive development process, but is treated as a ‘nice to have’ add-on.

High profile hacking incidents such as 2014’s remote infiltration of a Jeep Cherokee, has highlighted that security needs to be treated as a design imperative by automakers in the same way that they treat quality, functionality and performance requirements.

However, this week has seen another example of the vulnerability of connected cars with the announcement that the alarm on the Mitsubishi’s Outlander hybrid can be remotely disabled by hackers due to security bugs – opening the door to thieves.

Like many hybrid cars, the Mitsubishi Outlander has a counterpart app that allows you to check the status of the car and control certain functions. However, rather than GSM, this system uses WiFi, and that connection wasn’t particularly secure.

Pen Test Partners, the security researchers that carried out the hacking, realised that most Outlanders would be parked outside their owner's houses, so by kicking a mobile phone off an owner’s home WiFi connection, the researchers were able to wait for it to find the car instead, and then capture the data exchange.

Commenting on the hack, Pen Test Partners said: “What’s really unusual is the method of connecting the mobile app to the car. Most remote control apps for locating the car, flashing the headlights, locking it remotely etc, work using a web service. The web service is hosted by the car manufacturer or their service provider. This then connects to the vehicle using GSM to a module on the car. As a result, one can communicate with the vehicle over mobile data from virtually anywhere.

“The Outlander PHEV does it differently. Instead of a GSM module, there is a WiFi access point on the vehicle. In order to connect to the car functions, we have to disconnect from any other WiFi networks and explicitly connect to the car AP. From there, we have control over various functions of the car.

“This has a massive disadvantage to the user in that we can only communicate with the car when in WiFi range. We assume that it’s been designed like this to be much cheaper for Mitsubishi than a GSM / web service / mobile app-based solution. There’s no GSM contract fees, no hosting fees, minimal development cost. Unfortunately, we found that this system had not been implemented securely.”

Once the hack was completed researchers were then able to imitate an owner’s phone, and control several different functions. They were able to turn the lights on and off, use the air conditioning to drain the car’s battery, and disable the car’s theft alarm.

The fact is that as vehicles are getting more advanced they are becoming easier to hack, so manufacturers will need to make tomorrow’s cars as secure as our phones and computers.

Mitsubishi recommended that users turn off the WiFi while it investigates the issues with the system.

A video where Ken Munro from Pen Test Partners explains the hack in greater detail can be viewed below.

Featured products

Upcoming Events

View all events
Newsletter
Latest global electronics news
© Copyright 2024 Electronic Specifier