Vulnerabilities in the Mitsubishi Outlander's Wi-Fi console allow cyberattackers to turn off car alarms before potentially stealing the vehicle, researchers have found.
On Monday, security experts from PenTestPartners said the Japanese firm's Outlander plug-in hybrid electric vehicle (PHEV), a popular family SUV, is vulnerable to an attack which could result in attackers using the car's connectivity to turn off alarm systems and compromise the vehicle.
The cyberattack takes place through the Outlander's Wi-Fi module and can not only be used to disengage alarms but can also be used to fiddle with settings and drain battery life.
Car thieves can buy themselves time by disabling the alarm, giving them a chance to start the car through various means and make off with the vehicle.
According to the research team, the problem lies within the "unusual" way the car's mobile application connects to the vehicle. After purchasing one to investigate the problem, they discovered that the Outlander does not rely on a typical GSM module, but rather hosts a Wi-Fi access point. In order to connect to the car, your mobile device must disconnect from any other Wi-Fi networks.
While cheaper and potentially more of a hassle as the car can only be connected to while in range, the Wi-Fi module has "not been implemented securely," PenTestPartners says.
The pre-shared Wi-Fi key is short and was cracked through a 4X GPU rig in less than four days -- but with more computing power, the time it took to compromise the network would be far shorter.
To capture the handshake, the team were able to use public resources to find the required code, before setting up a man-in-the-middle (MitM) attack to spy on the data flowing between app and vehicle, as well as compromise the car's system by accessing the onboard diagnostics port.
This, in turn, led to the researchers being able to turn lights on and off, push the car to charge on premium-rate electricity, turn the car alarm off and mess with the air conditioning system.
"Once unlocked, there is potential for many more attacks," the team says. "The onboard diagnostics port is accessible once the door is unlocked. Whilst we haven't looked in detail at this, you may recall from a hack of some BMW vehicles which suggested that the OBD port could be used to code new keys for the car."
Another problematic point is that each Outlander's Wi-Fi network name is distinctive.
"Some were spotted while driving and others when parked at their owner's house," PenTestPartner security researcher Ken Munro said. "A thief or hacker can therefore easily locate a car that is of interest to them."
When the research team first approached the Japanese automaker, all they received was "disinterest," but after approaching the media, Mitsubishi's attitude rapidly changed and a fix is in the works.
Mitsubishi said in a statement that "this hacking is a first for us as no other has been reported anywhere else in the world," and the company is "taking the matter seriously."
While an investigation into the security flaws takes place, the automaker recommends that Outlander owners disable their onboard Wi-FI through the car's app by selecting "cancel VIN Registration" or through the remote app cancellation process. The mobile app will become useless, but this does act as a short-term fix.
Mark Skilton, Professor of Practice in the Information Systems & Management Group at Warwick Business School said:
"Cars are increasingly having on-board connectivity to the internet beyond just entertainment and to the operation of the car itself. But, while access to email and websites is one thing, access to mission critical systems in any situation - be it a building, operating theatre or transport vehicle - is a whole different set of risk and security issues."