2 min read

Lax security means hackers could steal your Mitsubishi Outlander

Graham CLULEY

June 07, 2016

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Lax security means hackers could steal your Mitsubishi Outlander

If you’ve got a Mitsubishi Outlander hybrid electric car then you’ve also got a problem.

Security researchers at Pen Test Partners have discovered that the top-selling family SUV’s security is fatally flawed because of the unusual method that Mitsubishi used to connect the vehicle to its mobile app.

As researcher Ken Munro explains in a YouTube video, the Mitsubishi Outlander is unusual in that it comes with its own wireless access point to connect the owner’s app, rather than communicating via GSM.

“Most remote control apps for locating the car, flashing the headlights, locking it remotely etc. work using a web service. The web service is hosted by the car manufacturer or their service provider. This then connects to the vehicle using GSM to a module on the car. As a result, one can communicate with the vehicle over mobile data from virtually anywhere.”

Munro says he found it easy to crack the pre-shared key used to connect to the car, and his team were able to find a way of cracking the messaging protocol – showing they could force the car to turn on its lights, heating and air conditioning (potentially draining the battery) and even disable the theft alarm.

alarm-off

Source: Pen Test Partners

The fact that the vehicle’s alarm can be disabled is, of course, a considerable concern – especially as the researchers showed they could use the Wi-Fi search engine wigle.net to “easily” geolocate a car and track it. Such an ability is clearly a boon for car thieves.

The researchers informed the car manufacturer of the security flaw in the Mitsubishi Outlander, but initially failed to get a satisfactory response until the BBC took an interest in the issue.

Until a proper fix is available Mitsubishi Outlander owners are advised to unpair any mobile device they have connected to the car’s access point – effectively telling the vehicle’s Wi-Fi module to go into sleep mode. This is done by opening the app, going to “Settings” and selecting “Cancel VIN Registration”.

Mitsubishi has published details of how to delete the registration on this webpage.

delete-reg

This vulnerability is just the latest in a series of security flaws found in vehicles recently. Problems seen have included cars that could have their brakes disabled just by sending an SMS, Jeeps being commandeered remotely, and millions of GM cars vulnerable to remote exploitation via their onboard OnStar dashboard computer.

It’s clear that automobile manufacturers are racing to connect their vehicles to the internet in a bid to appeal to gadget-loving drivers, but that safety and security is not being treated as a priority.

As more and more cars jump on the Internet of Things bandwagon, it’s not just going to be the risk of remote control car theft that we are going to have to worry about. Our own physical safety is going to be an increasing concern too.

tags


Author



Right now

Top posts

What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Chinese criminals scam kids desperate to play games for more than three hours a week Chinese criminals scam kids desperate to play games for more than three hours a week
Graham CLULEY

August 12, 2022

2 min read
Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach
Silviu STAHIE

August 09, 2022

1 min read
Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down
Silviu STAHIE

August 05, 2022

1 min read