Speak EV - Electric Car Forums banner

1 - 20 of 33 Posts

·
Registered
Joined
·
12 Posts
Discussion Starter #1
I work for a company called Pen Test Partners, we're an IT security consultancy. A few of my colleagues recently identified some vulnerabilities in the Outlander that could allow anyone to disable the cars alarm system! We could also turn on the heating draining the battery, a bit like the Nissan Leaf hack, but being able to disable the cars alarm makes this vulnerability much more serious.

There is a bit too much information to post here, but for more details, and information on a temporary workaround to secure the car, please visit our blog: Hacking the Mitsubishi Outlander PHEV hybrid | Pen Test Partners

Thank you,
Alan.
 

·
Registered
Joined
·
1,006 Posts
Oh, for those who just want a quick update:

Mr Munro said he had been impressed by the cooperation he had received from Mitsubishi in exploring the bugs and seeking ways to fix them.

In a statement, Mitsubishi said: "This hacking is a first for us as no other has been reported anywhere else in the world."

It said it "took the matter seriously" and was keen to get Mr Munro talking to its engineers in Japan to understand what he found and how it could be remedied.

It added that although the bugs were "obviously disturbing" the hack only affected the car's app and would give an attacker limited access to the vehicle's systems.

"It should be noted that without the remote control device, the car cannot be started and driven away," it said.

While Mitsubishi investigated it recommended that owners deactivate their onboard wi-fi via the "cancel VIN Registration" option on the app or by using the remote app cancellation procedure.
 

·
Registered
Joined
·
675 Posts
So, you have to sit there and try and wireshark traffic between car and phone, for which you would have to be very close - practically standing next to the car, based on the shitty range that my car has to my phone.

Then you have to crack the PSK, which requires a fairly reasonable amount of expense on compute resources,but not particularly difficult.

Then you can go back and turn the alarm off, but not unlock the car, and maybe drain the battery with the heater.

Considering the fact that most people don't bother looking when car alarms go off anyway, not a big scary thing to me TBH.

Also, I set my phone to not automatically connect to the car without my specific request (as a fix to the bluetooth car kit dropping out thing) so the approach they took of bumping the mobile off the house wifi in the hope that it connects to the car wouldn't work anyway. May just delete the VIN anyway as I cannot remember the last time I connected to the car with my phone anyway, mainly do it in the winter to kick off the heating but started putting that on a timer.
 

·
Registered
Joined
·
338 Posts
My wifi has never been switched on, so I wasn't too bothered when I read the news this morning. However, when I left to go to work my clock had put itself forward an hour. Spooky!
 

·
Registered
Joined
·
12 Posts
Discussion Starter #9
Cracking the PSK does have a time/cost trade off, but if you wanted to spin up thousands of compute nodes in the Amazon cloud or something, you could break the PSK very quickly. If you automated this attack, you could get to the point where walking through a car-park, your phone could spot a PHEV, and you could be in the car in minutes. The cost to crack the PSK in the Amazon cloud is a lot less than the value of the car!
 

·
Registered
Joined
·
675 Posts
I am more that aware of how easy it would be using AWS. That is kind of what I was alluding to. However my point is still valid. All you are doing is silencing the alarm which no-one in the modern world takes heed of. All of the other preventative measures to theft are still in place...

Being in the car in minutes as you say is not sped up in any way - so why bother buying AWS instances to do so...

This is not a major threat, or a massive 'hack'. Just a way to disable an alarm which would be quite quick to silence once you are in the car anyway with a fuse or two being pulled.


Sent from my iPhone using Tapatalk
 

·
Registered
Joined
·
141 Posts
It's a shame that this has happened. Why didn't Mitsubishi respond to PTP's initial communication and fix this issue before leaving PTP with no options but to publicly disclose?

On the bright side, owners may end up with some free services or the like for the inconvenience.
 

·
Registered
Joined
·
1,006 Posts
It's a shame that this has happened. Why didn't Mitsubishi respond to PTP's initial communication and fix this issue before leaving PTP with no options but to publicly disclose?

On the bright side, owners may end up with some free services or the like for the inconvenience.
For the same reason Waitrose have still not fixed a gaping security flaw in their website which I reported to them some time ago. They came back with fatuous "we take security very seriously..." bullshit and will ignore it. Only once regulations make it more expensive to ignore a security issue than the fix it will this kind of head-in-the-sand attitude change.
 

·
Registered
Joined
·
12 Posts
Discussion Starter #13
Vendors often do that in the hope that you simply go away. It's not until it becomes news that they start to take an interest. Funny that! I think that disabling the alarm is a significant security issue, and it's nice the Mitsubishi are taking it seriously now. :)
 

·
Registered
Joined
·
249 Posts
I can just imagine the monthly product progress meetings at Mitsubishi where the manager from the marketing department says "... and we want to give people an app so that can do fancy stuff on the car", and the technical people trying to explain about secure central servers, and how every car will need GPRS/3G/4G and a subscription using a mobile provider in each country, and how much the ongoing costs would be, or they could do it on the cheap and just put a WiFi access point in the car. and the manager from the marketing department didn't realise that the techies were just being sarcastic.
so the techies say really sarcastically ... "OK, but it will take a few months to do it securely, or should we just rely on WPA2 if you want it tomorrow?"
and the manager from the marketing department says "tomorrow"
Welcome to Dilbert
 

·
Registered
Joined
·
249 Posts
I think it's a little bit worse than the Tesla SSL issue, becasue you would need lots of expensive hardware to do a man in the middle with the Telsa and a 3G base station.

If Mitsubishi haven't done an update by the end of the year, there will probably be a "script kiddie toolkit" that naughty people can buy, which will probably just require a decent spec laptop and/or an app for an android phone/tablet that can be left in wifi range of our cars for a few days, before they can fiddle with the settings of the car.

It is certainly not as bad as last years issue that Nissan had, where you can read the VIN number through the windscreen, then create a URL that takes you to the car wings web site for that particular car, and fiddle with the heating timers, from any internet connected device, anywhere on the planet.
I don't remember the BBC repeating that story on the news every hour.
Didn't the PTP man say that was the more secure way to do it ?

A cat will get stuck in a tree tomorrow, and the world will have moved on to new things.
 

·
Registered
Joined
·
306 Posts
It is certainly not as bad as last years issue that Nissan had, where you can read the VIN number through the windscreen, then create a URL that takes you to the car wings web site for that particular car, and fiddle with the heating timers, from any internet connected device, anywhere on the planet.
I think the Mitsubishi system is not as easy to hack, but more worrying that you can disable the alarm via the hack. The Leaf was embarrasingly poorly secured, but all the hackers could do was turn the climate control on or see how many miles the car had done that day.

Perhaps I'm oversimplifying things, but I struggle to understand why everything has to be connected to the internet. I recently read that a flood barrier in the USA could be hacked so potentially a terrorist could flood the town without setting foot in the country. Surely if a device is not "online" it can't be hacked, I know this is unavoidable with certain devices, but why is a car's alarm system and a city's flood defences connected to a network that everyone has access to?
 

·
Registered
Joined
·
142 Posts
It's a very different hack to a leaf.

The news article seems to suggest that it's worse because it a local wifi not via a server, but that's not true - quite the opposite.

The hack requires the hacker to be physically close to the car and all they can do is "play back" commands a registered phone has sent whilst both hacker and hackee are connected.

That's a pretty limited probability of exposure, compared to a script kiddie with a VIN operating from anywhere (nissan).

Frankly, I have to be so close to my car for the WiFi range to work that the hacker and I would need to be intimately acquainted before I need worry.
 
1 - 20 of 33 Posts
Top