Mitsubishi Outlander hybrid car alarm can be wirelessly hacked
Security researchers at Pen Test Partners have discovered vulnerability in the Mitsubishi Outlander plug-in hybrid electric vehicle (PHEV) that could allow the car’s anti-theft alarms to be disabled and its battery drained through wireless hack.
The vulnerability stems from the car’s use of on-board Wi-Fi system, and could make it easier for the thieves to exploit the bugs gain time to break into and steal a vehicle.
Security expert Ken Munro discovered the poor security after spotting the Wi-Fi network of a nearby Mitsubishi Outlander appeared on his smartphone. To further investigate the matter, he purchased an Outlander and found the car’s charging schedule can be tampered with, leaving it with an empty battery. Further, the car’s alarm system can be remotely disabled to make matters even worse.
Without any physical access to the car, Munro and his team found that they could bypass the Wi-Fi assess module’s merge security key, which is too short and simple, through a brute force attack, allowing them to crack into the car’s Wi-Fi password within four days using a “relatively slow” computer.
In a video posted to YouTube, Munro also demonstrated that how he could remotely disable the alarm, then reach in through an open window, unlock the car and get inside. The alarm would not sound even if the window was smashed to gain entry. Munro then suggests a thief could start the car by hacking its universal diagnostics port on the dashboard, a common way for modern cars to be stolen.
Munro, who presented his findings to Mitsubishi, wrote in his blog post that “Mitsubishi have since been very responsive to us! They are taking the issue very seriously at the highest levels.”
In response to the finding, Mitsubishi told the Register: “This hacking is a first for us as no other has been reported anywhere else in the world. We take this matter very seriously and are very much willing to initiate a dialogue between Mr. Munro’s team and our own specialists in Japan to better understand and solve the issue.”
It further added: “Whilst obviously disturbing, this hacking only affects the car’s app, therefore with limited effect to the vehicle (alarm, charging, heating) – it should be noted that without the remote control device, the car cannot be started and driven away.
“At this early stage, until further technical investigation, we would recommend our customers to deactivate the Wi-Fi using the “Cancel VIN Registration” option on the app, or by using the remote app cancellation procedure.”