Mitsubishi Hybrid SUV Hack Puts Drivers At Risk, Says Researcher

Researchers discover a vulnerability in Mitsubishi’s Outlander Hybrid SUV that allows hackers to disable the anti-theft alarm from a laptop and control the car’s heat and AC.

Security experts are warning owners of Mitsubishi Outlander Plug-In Hybrid Electric Vehicles that their cars can be hacked via the automobile’s on-board WiFi network used for remote control of key car features.

The hybrid electronic vehicle, which is slated to be sold here in the U.S. starting this fall, suffers from weak password requirements that can easily be bypassed with a brute-force password attack, according to researchers at the Pen Test Partners. The car is predominantly sold in Europe today.

Security researcher Ken Munro with Pen Test Partners discovered the vulnerability that allows him to disable the anti-theft system, manipulate the car’s climate control system, and turn on/off headlights.

“Once unlocked, there is potential for many more attacks. The on-board diagnostics port is accessible once the door is unlocked,” wrote researchers at Pen Test Partners in a blog post explaining the discovery. That type of access can be used to program a new key for the car that can be used to steal the $40,000 vehicle, Munro said.

Pen Test Partners point out the vulnerability can also be used to drain the car’s battery and strand a car owner. Additionally, researchers were able to use commonalities shared by Outlander PHEV IP addresses to use a search engine for mapping wireless networks (Wigle.net) to geolocate other Outlander PHEVs in real time on a map.

Munro discovered the vulnerability when testing the car’s remote access features. The problem, he said, is that the Mitsubishi Outlander PHEV uses direct Wi-Fi link between the automobile and an Apple or Android device used to access remote features via the cars’ specialized app. The password requirements for the car’s SSID are 6 lower-case alpha characters and 6 digits.

“The Wi-Fi pre-shared key is written on a piece of paper included in the owners’ manual. The format is too simple and too short. We cracked it on a 4 x GPU cracking rig at less than 4 days. A much faster crack could be achieved with a cloud hosted service, or by buying more GPUs,” researchers wrote.

Mitsubishi, for its part told Threatpost in an email interview that it is working diligently to investigate the issue. “It is important to clarify that this hack only pertains to the smartphone app and has limited actual impact on the vehicle itself,” Mitsubishi wrote. “While this app also monitors the status of the vehicle’s doors and hood (open/closed), it cannot lock or unlock them.” The car maker said any customer who is concerned about this issue should deactivate the vehicle’s WiFi using the “Cancel VIN Registration” option found in the app.
Most remote access apps for controlling car features made by other car manufacturers differ from Mitsubishi’s design in that they rely on a web-based service hosted on the car manufacturer’s servers and connect to the vehicle via a cellular data connection. The Outlander’s reliance on a Wi-Fi access point on the vehicle is a massive disadvantage, said Pen Test Partners researchers.

Munro theorized that Mitsubishi’s “poor” design of the remote access feature is a cost cutting measure that does not require an expensive backend infrastructure. Additional research, Munro said, would be needed to determine if the access to the car’s Wi-Fi module could be used to access the car’s onboard computer system called Controller Area Network (CAN).

“There is certainly access to the infotainment system from the Wi-Fi module. Whether this extends to the CAN is something we need more time to investigate,” Munro said.

Munro’s discovery was not exactly on par with the type of devastating vulnerability discovered by Charlie Miller and Chris Valasek who demonstrated full remote access to a Jeep Cherokee in 2015. Nor is it the type of vulnerability that researcher Troy Hunt found that allowed him to exploit an insecure API that gave him remote access to onboard computers of 200,000 Nissan Leaf and eNV200 electric automobiles. But, Munro says, the Mitsubishi vulnerability should be taken seriously considering privacy implications of being tracked online by a third-party or that a Mitsubishi  car owner could have their Outlander damaged or stolen.

In March, in a joint public service announcement, the FBI and NHTSA warned of vulnerabilities tied to smart-car features and aftermarket devices that connect to a car’s electronic control units (ECUs). In some cases, the agencies wrote the vulnerabilities present “an unreasonable risk to safety based on a number of critical factors.”

Suggested articles