Researchers at Pen Test Partners have wirelessly hacked the Mitsubishi Outlander Hybrid SUV, allowing them to take control of the vehicle’s electric charging and even turn off the alarm system.
In a five minute video, security researcher Ken Munro demonstrates how easy it is for a potential hacker to take control into the system and potentially pinch the car without alerting anyone.
The major issue is Mitsubishi’s mobile app, which connects to a wireless access point inside the SUV and lets the owner set charging times, turn on the lights, air conditioning, and turn off alarms. To access the app, you need the SSID and password, which Munro claims is not enough security to deflect attackers.
In tests, Munro’s team was able to break into the car within four days using a low-power cracking rig, which uses brute force attacks to try every SSID and password combination until it breaks in. He said with more powerful equipment the hacker may be able to find the correct SSID and password within 24 hours.
“If I was a thief and I fancied your car, first of all because it’s a Wi-Fi device I would geo-locate it using resources like Wiggle,” said Munro. “I [would then] find your car, crack your Wi-Fi key, send the code required to disable the alarm from a laptop or a hacked mobile device, jimmy the door or smash your window, unlock your car then access the IDB port inside, and I’ve potentially got your car.”
Mitsubishi called it “no big deal?”
That’s quite a scary prospect, especially since when Munro’s team originally contacted Mitsubishi, the company told the researchers that it wasn’t a big deal and it wouldn’t fix the security issues. We assume, now that the hack has been made public, Mitsubishi will make efforts to fix the security issues, if it wants the Outlander Hybrid SUV to do well in the United States when it launches next year.
“The failures of poorly configured Wi-Fi security access has occurred in other high profile cases in the past couple of years,” said Warwick Business School cyber security professor, Mark Skilton. “They include the hacking of the inflight entertainment system in 2015 by security researchers on a United Airlines flight, to hacking nearly 100 networked traffic lights in Michigan by another security researcher with a laptop in 2014, enabling the changing of light commands at will.”
“These are not a failure of the system itself,” Skilton continued. “All these hacks exploited poor design of the systems’ security design. In all these cases the entry point has been compromised and it allowed the hacker to gain access to other systems on board that could include and threaten human safety.”
“Cars are increasingly having on-board connectivity to the internet beyond just entertainment and to the operation of the car itself. But, while access to email and websites is one thing, access to mission critical systems in any situation—be it a building, operating theatre or transport vehicle—is a whole different set of risk and security issues.”
Car security is becoming a much more important topic, as we enter an age of autonomy in vehicles. Imagine if instead of just being able to hack your dashboard, hackers were able to take control of your car and remotely steer it?
“Connected devices should not be the network—they should attach to a network, using the authentication and security designed into a proper network,” said Dirk Gates, founder of wireless networking firm Xirrus. “By trying to simplify things—turning [the car] into a Wi-Fi access point—a vendor instead opens up a nasty can of worms. In practice it not only creates a giant security hole by not using proper authentication to keep the network simple, but, it also makes the user’s life more difficult by forcing them to switch to a unique network to access the IoT device, at which point they’ve lost connectivity to everything else.”
Hopefully, with companies like Google, Uber, and Lyft heavily involved in autonomous cars, we will see some of the wireless standards Gates mentioned employed in new cars. The tech world may also provide Mitsubishi and other automakers with better understanding of the security risks that connected cars pose.
There are already ways to prevent this type of relay attack, one of which is trusted positioning.
“Trusted positioning adds an extra layer of security on top of passwords and encryption by limiting the zone or even defining exact physical locations from which the data communication will be authorized,” said Mickael Viot, Decawave vice president of marketing.”This protects from relay attacks and man in the middle schemes…We are always measuring the time it takes for the signal to travel between the key and the car so if you try to relay it, it will be immediately detected as it will take longer than what is expected.“
Decawave can create a trusted device, say a car key, that acts as verification for another signal. If the signal doesn’t come from exactly the same place as the car key, the car will reject the other signal access.