Hackers have exposed a vulnerability in the Mitsubishi Outlander plug-in hybrid electric vehicle that could allow the car’s anti-theft alarms to be disabled.
The flaw was discovered by security researchers Pen Test Partners, which investigates potential vulnerabilities in connected devices using penetration testing.
The vulnerability stems from the car’s use of a WiFi module which can be accessed by anyone within range of the access point who connects to it from a smartphone.
The researchers found that they could bypass the Wi-Fi assess module’s merge security key, which is too short and simple, through a brute force attack, allowing them to crack into the car’s WiFi within four days.
Other connected cars tend to use GSM modules to allow drivers to access the car’s systems though a smartphone app via a cellular connection. This generally makes connecting to such cars more secure.
Once the Pen Test Partners researchers gained access to the Outlander’s WiFi access point they were able to carry out a man-in-the-middle attack between a driver’s WiFi network and the car, allowing them to replay various messages from the mobile app and figure out the binary protocol for those messages.
This allowed them to turn the car’s lights on and off and interfere with the charging program which could be used to charge it on premium rate electricity, as well as adjust the air conditioning to drain the battery.
The researchers then worked out how to disable the car’s anti-theft alarm, rendering it useless in alerting the owner if a thief smashed the windows and unlocked the car.
The researchers offered a short-term fix that renders the mobile app useless, and a medium-term fix which would require Mitsubishi rolling out new firmware for the WiFi module. They noted that the flaw could mean a recall of the Outlander.
“Mitsubishi needs to re-engineer the rather odd WiFi AP client connection method completely. A GSM module/web service method rather more like BMW Connected Drive would be much better long term. Words like ‘recall’ spring to mind,” the researchers said.
This is not the first time a security flaws has been found in connected cars. Fiat Chrysler was forced to issue a software update for 1.4 million cars when they were found to be vulnerable to remote access hack attacks.
But the Outlander hack effectively demonstrates that the more connected cars become, the more vulnerable they are to potential attacks, something that’s a major concern in driverless car development.