Once the Pen Test Partners researchers gained access to the Outlander’s WiFi access point they were able to carry out a man-in-the-middle attack between a driver’s WiFi network and the vehicle, allowing them to replay various messages from the mobile app and figure out the binary protocol for those messages.
Advertisement
He realised it was on a nearby Mitsubishi Outlander that belonged to a friend who then showed him the associated app and how it could be used to control some aspects of the vehicle. The module allows access to the auto via an app.
In the Mitsubishi Outlander hack video, Munro said some of the vulnerabilities are “funny” but others are “really quite nasty”.
“Once unlocked, there is potential for many more attacks”. The mobile app will become useless, but this does act as a short-term fix.
Firstly, Munro said that Wi-Fi SIDD is very distinct, which can be easily identified once known.
Using their hack, Munro and his team were able to turn the car’s lights on and off, mess around with its electric charging programme – including draining the battery, turn on the air conditioning, and, disable the auto alarm.
Once they managed to access the car’s WiFi module, they were able to reverse-engineer the communications protocol used to send commands from the app to the vehicle.
“This is shocking and should not be possible”, Munro said in a blog post on the Pen Test Partners website, before adding that he had spoken to Mitsubishi and its United Kingdom press office twice about the security vulnerability.
The team used this access to replay commands sent to an Outlander allowing them to flash the lights, tweak its charging settings and drain the battery.
After getting the SSID and the PSK of the cars, the researchers were able to imitate an owner’s phone, and control several different functions. If they had done, their hack would have allowed them access to more intrusive vehicle operations, such as the ability to start the auto engine’s or activate its break at any time.
Mr Munro said he had been impressed by the cooperation he had received from Mitsubishi in exploring the bugs and seeking ways to fix them.
The website says, “Initial attempts by us to disclose privately to Mitsubishi were greeted with disinterest”.
In a statement, Mitsubishi said: “This hacking is a first for us as no other has been reported anywhere else in the world”. He said: “The password is not long enough”.
While Mitsubishi investigated it recommended that owners deactivate their onboard wi-fi via the “cancel VIN Registration” option on the app or by using the remote app cancellation procedure. Mitsubishi then seemed to downplay the vulnerability, telling the BBC, “It should be noted that without the remote control device, the auto can not be started and driven away”.
Advertisement
There are a few short- to medium-term fixes, according to the researchers, but ultimately Mitsubishi may have to recall the Outlander to fix the problem.
