The Mitsubishi Outlander is a popular hybrid SUV sold around the world. But owners of the vehicle could be in for a nasty surprise if attackers exploit security weaknesses in the setting that allows the car be controlled remotely via an app.
Weaknesses in the Mitsubishi Outlander SUV were discovered by Pen Test Partners, and include:
The app for the cell phones it connects to the car via a Wi-Fi access point present in it, instead of a web service and by a GSM module. This makes access impossible if someone is not in range of the car's wireless network.
This wireless Wi-Fi network has a shared key that is written on a piece of paper that is included in the owner's manual, but its format is very simple and very short, allowing attackers to break it easily and relatively quickly.
The car's Wi-Fi has a unique SSID, but in a predictable form. This allowed researchers to discover the geographical location of various outlanders across the UK.
After discovering the SSID and pre-shared key, they were able to connect with a static address IP on the subnet of a network, and this allowed them to monitor the Wi-Fi connection and also send messages to the car.
Through these messages were able to flash the lights, the air conditioning of the car and the heating. They were also able to change the charging schedule and, most importantly, to turn off the car's anti-theft alarm.
"Once the Mitsubishi Outlander is unlocked, there is room for more attacks. The car diagnostic test is not accessible when the door is locked. ” the researchers report.
"We have not examined them connections between the Wi-Fi module and the controller's Network (CAN). It is certain that the infotainment system is accessible from the Wi-Fi unit. But whether it extends to CAN is something we need more time to investigate."
The researchers came in contact with Mitsubishi and shared their discoveries responsibly. This of course happened after they published their research findings, because initially Mitsubishi ignored them.
Η company is currently developing a new firmware for the Mitsubishi Outlander SUV Wi-Fi module that will fix the errors. Until its release though, it advised owners to turn off Wi-Fi using the app's “Cancel VIN Registration” option.
The company has indicated that it is willing to work with the researchers to understand and solve the problem.
