2 min read

Lax security means hackers could steal your Mitsubishi Outlander

Graham CLULEY

June 07, 2016

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Lax security means hackers could steal your Mitsubishi Outlander

If you’ve got a Mitsubishi Outlander hybrid electric car then you’ve also got a problem.

Security researchers at Pen Test Partners have discovered that the top-selling family SUV’s security is fatally flawed because of the unusual method that Mitsubishi used to connect the vehicle to its mobile app.

As researcher Ken Munro explains in a YouTube video, the Mitsubishi Outlander is unusual in that it comes with its own wireless access point to connect the owner’s app, rather than communicating via GSM.

“Most remote control apps for locating the car, flashing the headlights, locking it remotely etc. work using a web service. The web service is hosted by the car manufacturer or their service provider. This then connects to the vehicle using GSM to a module on the car. As a result, one can communicate with the vehicle over mobile data from virtually anywhere.”

Munro says he found it easy to crack the pre-shared key used to connect to the car, and his team were able to find a way of cracking the messaging protocol – showing they could force the car to turn on its lights, heating and air conditioning (potentially draining the battery) and even disable the theft alarm.

alarm-off

Source: Pen Test Partners

The fact that the vehicle’s alarm can be disabled is, of course, a considerable concern – especially as the researchers showed they could use the Wi-Fi search engine wigle.net to “easily” geolocate a car and track it. Such an ability is clearly a boon for car thieves.

The researchers informed the car manufacturer of the security flaw in the Mitsubishi Outlander, but initially failed to get a satisfactory response until the BBC took an interest in the issue.

Until a proper fix is available Mitsubishi Outlander owners are advised to unpair any mobile device they have connected to the car’s access point – effectively telling the vehicle’s Wi-Fi module to go into sleep mode. This is done by opening the app, going to “Settings” and selecting “Cancel VIN Registration”.

Mitsubishi has published details of how to delete the registration on this webpage.

delete-reg

This vulnerability is just the latest in a series of security flaws found in vehicles recently. Problems seen have included cars that could have their brakes disabled just by sending an SMS, Jeeps being commandeered remotely, and millions of GM cars vulnerable to remote exploitation via their onboard OnStar dashboard computer.

It’s clear that automobile manufacturers are racing to connect their vehicles to the internet in a bid to appeal to gadget-loving drivers, but that safety and security is not being treated as a priority.

As more and more cars jump on the Internet of Things bandwagon, it’s not just going to be the risk of remote control car theft that we are going to have to worry about. Our own physical safety is going to be an increasing concern too.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials
Silviu STAHIE

November 26, 2021

1 min read
Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group
Filip TRUȚĂ

November 26, 2021

1 min read
Couple arrested for secretly installing cryptomining software on department store PCs Couple arrested for secretly installing cryptomining software on department store PCs
Graham CLULEY

November 26, 2021

1 min read