From GPS system to satellite radio to wireless locks, today vehicles are more connected to networks than ever, and so they are more hackable than ever.
It is not new for security researchers to hack connected cars. Latest in the series of hackable connected cars is the Mitsubishi Outlander plug-in hybrid electric vehicle (PHEV).
A security expert has discovered vulnerabilities in the Mitsubishi Outlander's Wi-Fi console that could allow hackers to access the vehicle remotely and turn off car alarms before potentially stealing it. The company has embedded the Wi-Fi module inside the car so that its users can connect with their Mitsubishi mobile app to this Wi-Fi and send commands to the car. Researchers from security penetration testing firm Pen Test Partners discovered that the Mitsubishi Outlander uses a weak Wi-Fi access security key to communicates with the driver’s phone.
The key to getting into the Wi-Fi can be cracked through a brute force attack (“on a 4 x GPU cracking rig at less than four days”), according to researchers. In fact, "a much faster crack could be achieved with a cloud hosted service, or by buying more GPUs."
Once cracked, the researchers captured the handshake or connection process between the driver's phone and the car. The researchers then used a man-in-the-middle (MitM) attack between a driver's home Wi-Fi network and the car's access module to spy on the data flowing between the Mitsubishi app and the car, and compromise the car's system.
The researchers were then able to mess with the air conditioning system, turn lights on/off, push the car to charge on premium-rate electricity, change the car’s charging settings, drain the battery, and most disturbing, break into the car and turn the car's anti-theft alarm off. Another issue with the vehicle is that the name of each Outlander's Wi-Fi network is distinctive.
"Some were spotted while driving and others when parked at their owner's house," security researcher Ken Munro said. "A thief or hacker can therefore easily locate a car that is of interest to them." Since the company has sold more than 100,000 Mitsubishi Outlander PHEV worldwide, the hack would not be a great news for its users.
A short-term fix for car owners is to unpair all devices from their vehicle's Wi-Fi module. For this, go to the app's "Settings" and select the "Cancel VIN Registration" option. Once all paired devices are unpaired, the car's Wi-Fi module will effectively go to sleep. Mitsubishi responded to the issue by saying that "this hacking is a first for us as no other has been reported anywhere else in the world," and that it is working with Pen Test Partners to fix the issues permanently.