Security researchers at PenTestPartners divulged details of a vulnerability deemed perilous to users of the best-selling Mitsubishi Outlander plug-in hybrid electric vehicle (PHEV). The security gap, explained in a security bulletin dated Monday, June 5, affects the Japanese firm’s SUV model, allowing potential attackers to exploit a car’s connectivity and use it to their advantage—be it by disabling the car’s alarm system and compromising the entire vehicle.
The mentioned security hole involves the vehicle’s Wi-Fi module that opens an entry way to hacking, which enables an attacker to gain access not just with the car’s alarm systems but also with its settings. This can also give an attacker or any outside force, capability to drain the vehicle’s battery life.
As such, the researchers behind the discovery explained, “What’s really unusual is the method of connecting the mobile app to the car. Most remote control apps for locating the car, flashing the headlights, locking it remotely etc. work using a web service. The web service is hosted by the car manufacturer or their service provider. This then connects to the vehicle using GSM to a module on the car. As a result, one can communicate with the vehicle over mobile data from virtually anywhere.”
In the case of the Outlander PHEV, instead of a commonly-used GSM module, the vehicle enables Wi-Fi connectivity. The conducted study then showed that the said module “has not been implemented securely” with its pre-shared key easily decipherable. Aside from this, the Wi-Fi network name of the Outlander is “distinctive”. This means that any attacker with malicious intent can easily track down a car of their liking. Once a malicious actor unlocks and penetrates the system, this opens the floodgates to many potential attacks—from controlling the vehicle’s lights, temperature and even its lock/unlock functions.
In a statement to ZDnet, the researchers behind this discovery shared that the vulnerability has been duly communicated with the company. This then merited a “disinterested” response from the automotive giant. Interestingly, following to divulgence of information to the media, Mitsubishi officials quickly shifted reactions. Reportedly, a fix is currently in the works.
According to Mitsubishi, no other occurrence similar to this has been reported in the other parts of the globe. With over 100,000 hybrid cars believed to have been sold, the company noted that it has been taking the matter very seriously, working closely with the researchers and the authorities to thwart and possible harm brought by this unresolved security hiccup. As of now, with investigations ongoing, the company urged owners to disable their onboard WiFi in the app by canceling the VIN registration.
In March, the authorities have released a public service announcement aptly warning the public on the continuing surge of remote exploits that render motor vehicles vulnerable. As such, the FBI bulletin noted, “The FBI and NHTSA are warning the general public and manufacturers – of vehicles, vehicle components, and aftermarket devices – to maintain awareness of potential issues and cybersecurity threats related to connected vehicle technologies in modern vehicles.”
Mitsubishi joins the growing line of smart cars that have been discovered to be vulnerable to errors in security. In February 2016, Troy Hunt and Scott Helme discovered that Nissan’s Leaf car app can potentially be used to remotely hack any Nissan Leaf's in-car systems. Prior to that, in the same month, a San Diego-based researcher shared how a critical flaw found in the smart car’s operating system allowed it to be carjacked, simply by playing a malware-laced CD player. In 2015, security experts Chris Valasek and Charlie Miller staged a car-jacking stunt using 3G connectivity on a new Jeep Cherokee that remarkably brought about the recall of 1.4 million vehicles. Following the experiment, researchers also pointed out an exploit that could take over a vehicle’s brakes, among other systems.
Senior threat researcher Rainier Link, in his expert insight video, talks about smart car security and the role of car manufacturers in harnessing the security of this emerging technology. “From the manufacturer’s perspective, they might have a lot of knowledge on building cars but they may lack a little bit of knowledge on IT security because it’s new to them”.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).