When it comes to electric and plug-in hybrid cars, having some form of remote telematics system has become something of the expected norm for both customers and automakers. Operating via either an always-on Internet connection built into the car or a less-sophisticated SMS-based messaging system between car and automaker data center, remote telematics allow owners of modern electric and plug-in hybrid cars to carry out a range of functions from setting the navigation system and checking on the state of charge to unlocking the doors and setting the climate control.
But as regulars to the site and those with more than a passing interest in computers will know, any time you give a car any form of network connection you increase the risk that it becomes the target of high-tech ne’erdowells. How easily that target can be exploited depends on how well the system is designed, what type of connection it uses to either the Internet or your cellphone, and what type of security protocols are used. And while most major automakers are accomplished when it comes to making cars that we want to own and drive, it turns out that they’re not very good at IT security.
Already this year, we’ve seen exploits discovered (and now patched) in the NissanConnect EV telematics system used for the Nissan LEAF and Nissan e-NV200 electric vehicles. In previous years, we’ve seen remote telematics plug-in car security exploits detailed for the Tesla Model S, GM OnStar, and BMW’s ConnectedDrive system, all of which have now been hacked.
Now we can add another car to the list of exploited plug-in cars: the highly popular Mitsubishi Outlander Plug-in Hybrid.
The news comes courtesy of computer security consultants Pen Test Partners, which discovered a series of major security flaws with the way in which the Outlander Plug-in Hybrid communicates to its partner smartphone app. Flaws which could, if exploited correctly, could make it easy for tech-savvy thieves to not only gain access to the interior of a car but by association, gain access to the car’s onboard diagnostics system, making it possible to steal the car even without the appropriate key.
As detailed in an extensive blog on its website, the hack involves the reasonably insecure connection made between the car and its owner’s smartphone which relies on not a 3G cellular data connection as every other plug-in car on the market today but a limited-range WiFi connection. With the right equipment, says Pen Test Partners expert Ken Munro — whose Mitsubishi Outlander Plug-in Hybrid was used to demonstrate the exploit to the BBC’s Rory Cellan-Jones earlier today — a steal-to-order car thief could gain entry to almost any Outlander Plug-in Hybrid almost instantaneously, using the exploit to switch off the car’s alarm, unlock the car and, after a short pause to program a new key, drive away.
The exploit itself comes from the fact that Mitsubishi chose to use WiFi as its preferred method of connection to the car rather than a cellular data connection. While cheaper due to no requirement for a data subscription, the system is far less secure than a cellular data connection because each car is only as secure as the the wireless access point in each car.
Sadly, while each Outlander Plug-in Hybrid has a unique SSID (network name) for its ad-hoc WiFi network and a unique password, the SSID follows an easily identifiable format: [REMOTEnnaaaa] where ‘n’ are numbers and ‘a’ are lower-case letters. With the target network identified, it was a reasonably easy process to brute-force the password for the network in question. While Pen Test Partners said it took a few days to brute-force the password for Munro’s car using a single computer and some easily obtainable hacking tools, the company also notes that with around £1,000 of cloud computing power (something companies like Amazon will happily sell on a per-use basis) the WiFi access point in the car can be cracked almost instantaneously.
Once the password has been obtained, it’s possible to then connect a mobile telephone or computer directly to the car’s on-board access point and consequently, gain access to the car’s on-board systems, assuming the car has already been paired once with Mitsubishi’s smartphone Outlander PHEV app. While it took Pen Test Partners some extra work to reverse-engineer the ports and syntax of the insecure protocol used to communicate between car and smartphone, they were soon able to send commands to Munro’s Outlander PHEV to switch on and off the lights, as well as charging and climate control commands too.
But perhaps the most shocking discovery was that while Mitsubishi’s app doesn’t allow locking and unlocking of doors it does make it possible to activate and deactivate the car’s alarm remotely. With the right command, Munro and his team were able to deactivate his car’s alarm system, making it possible for an attacker to either break the window glass or force a door without triggering an alarm.
Then, once inside the car Munro says, criminals have easy access to the car’s on-board diagnostics (ODBII) port. Armed with an simple ODBII interface, a new blank key could then be coded to work with the car’s security system, making it possible to drive the now broken-into car away within a few minutes, a technique now popular among high-tech car thieves.
If that sounds like a lot of work, it is. Especially for an opportunist thief. But thanks to online projects like Wigle.net — which log and show hundreds of thousands of WiFi access points around the world — it’s reasonably easy for theives who know what to look for to locate vulnerable Outlander PHEV models from miles away. And with high-end Outlander PHEVs worth upwards of £40,000 new, investing even £1,000 on the computer power needed to crack the WiFi access point password and gain access to parked car is a worthwhile expense to the career car thief.
Pen Test Partners says it reached out to Mitsubishi some time ago with information about the security flaw it discovered, but did not receive much interest from the automaker about patching it. Consequently, it has published the basic details of the flaw online, alongside a proposed short-term fix for any concerned owners: disconnection of any associated cellphones to the car’s access point, along with cancellation of VIN registration on all associated phones.
“First, go to the car and connect your mobile phone to the access point on the car. Then, using the app, go to ‘Settings’ and select ‘Cancel VIN Registration’,” the company instructs concerned owners on its blog. “Once all paired devices are unpaired, the Wi-Fi module will effectively go to sleep. It cannot be powered up again until the car key remote is pressed ten times. A nice security feature.
“This has the side effect of rendering the mobile app useless, but at least it fixes the security problem,” it continues.
For a mid-term fix, it suggests Mitsubishi rolls out a new firmware update to the car, and for longer-term fixes, a switch to the same cellular-style telematics systems used by other automakers is strongly advocated. And while the risk to Outlander Plug-in Hybrids in the wild will depend somewhat on where you live and where you keep your car at night, we’d advocate disconnecting from the app as suggested until a more permanent fix is devised.
As for Mitsubishi? We reached out to Mitsubishi UK this morning for comment, and the following statement was sent return of mail.
- This hacking is a first for us as none other has been reported anywhere else in the world
- We take this matter very seriously and are very much willing to initiate a dialogue between Mr. Munro’s team and our own specialists in Japan to better understand & solve the issue
- Whilst obviously disturbing, this hacking only affects the car’s app, therefore with limited effect to the vehicle (alarm, charging, heating) – it should be noted that without the remote control device, the car cannot be started and driven away.
- At this early stage, until further technical investigation, we would recommend our customers to deactivate the WiFi using the ‘Cancel VIN Registration’ option on the app, or by using the remote app cancellation procedure
While Mitsubishi hasn’t yet launched the Outlander PHEV in the U.S., it’s an extremely popular car in Europe, where it has outsold the Nissan LEAF in some countries.
Do you have a Mitsubishi Outlander PHEV? Does this news concern you? Or do you not use the app anyway? And how do you feel Mitsubishi should handle the situation moving forward?
Leave your thoughts in the Comments below.
You can also support us directly as a monthly supporting member by visiting Patreon.com.