2 min read

Lax security means hackers could steal your Mitsubishi Outlander

Graham CLULEY

June 07, 2016

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Lax security means hackers could steal your Mitsubishi Outlander

If you’ve got a Mitsubishi Outlander hybrid electric car then you’ve also got a problem.

Security researchers at Pen Test Partners have discovered that the top-selling family SUV’s security is fatally flawed because of the unusual method that Mitsubishi used to connect the vehicle to its mobile app.

As researcher Ken Munro explains in a YouTube video, the Mitsubishi Outlander is unusual in that it comes with its own wireless access point to connect the owner’s app, rather than communicating via GSM.

“Most remote control apps for locating the car, flashing the headlights, locking it remotely etc. work using a web service. The web service is hosted by the car manufacturer or their service provider. This then connects to the vehicle using GSM to a module on the car. As a result, one can communicate with the vehicle over mobile data from virtually anywhere.”

Munro says he found it easy to crack the pre-shared key used to connect to the car, and his team were able to find a way of cracking the messaging protocol – showing they could force the car to turn on its lights, heating and air conditioning (potentially draining the battery) and even disable the theft alarm.

alarm-off

Source: Pen Test Partners

The fact that the vehicle’s alarm can be disabled is, of course, a considerable concern – especially as the researchers showed they could use the Wi-Fi search engine wigle.net to “easily” geolocate a car and track it. Such an ability is clearly a boon for car thieves.

The researchers informed the car manufacturer of the security flaw in the Mitsubishi Outlander, but initially failed to get a satisfactory response until the BBC took an interest in the issue.

Until a proper fix is available Mitsubishi Outlander owners are advised to unpair any mobile device they have connected to the car’s access point – effectively telling the vehicle’s Wi-Fi module to go into sleep mode. This is done by opening the app, going to “Settings” and selecting “Cancel VIN Registration”.

Mitsubishi has published details of how to delete the registration on this webpage.

delete-reg

This vulnerability is just the latest in a series of security flaws found in vehicles recently. Problems seen have included cars that could have their brakes disabled just by sending an SMS, Jeeps being commandeered remotely, and millions of GM cars vulnerable to remote exploitation via their onboard OnStar dashboard computer.

It’s clear that automobile manufacturers are racing to connect their vehicles to the internet in a bid to appeal to gadget-loving drivers, but that safety and security is not being treated as a priority.

As more and more cars jump on the Internet of Things bandwagon, it’s not just going to be the risk of remote control car theft that we are going to have to worry about. Our own physical safety is going to be an increasing concern too.

tags


Author



Right now

Top posts

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

December 21, 2021

2 min read
Online Shoppers Beware, Mobile Scams Are on the Rise

Online Shoppers Beware, Mobile Scams Are on the Rise

December 17, 2021

2 min read
The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Malware Posing as Ransomware Responsible for Ukraine Cyberattack Malware Posing as Ransomware Responsible for Ukraine Cyberattack
Silviu STAHIE

January 17, 2022

2 min read
Russian Authorities Cuff Last Remaining REvil Suspects Russian Authorities Cuff Last Remaining REvil Suspects
Filip TRUȚĂ

January 17, 2022

2 min read
Android 12 protects phones from Stingray attacks, lets users disable 2G Android 12 protects phones from Stingray attacks, lets users disable 2G
Radu CRAHMALIUC

January 14, 2022

1 min read