The Mitsubishi Outlander is a popular hybrid SUV sold around the world. However, the owners of the vehicle may find themselves in unpleasant surprises if intruders take advantage of security vulnerabilities in the setting that allows the car to be controlled remotely through an application.
Weaknesses in the Mitsubishi Outlander SUV were discovered by Pen Test Partners, and include:
The mobile app connects to the car via an on-board Wi-Fi access point, instead of a web service and a GSM module. This makes it impossible to access unless someone is within range wirelessy network of the car.
This wireless Wi-Fi network has a shared key that is written on a piece of paper included in the owner's manual, but its format is very simple and very short, allowing attackers to crack it easily and relatively quickly.
The car's Wi-Fi has a unique SSID, but in a predictable form. This allowed researchers to discover the geographical location of various outlanders across the UK.
After discovering the SSID and the pre-shared key, they were able to connect to a static IP address on a network's subnet, allowing them to monitor the Wi-Fi connection and also send messages to the car.
Through these messages they were able to flash the lights, the car's air conditioning and the heating. They were also able to change the program chargingand, most importantly, to disable the car's anti-theft alarm.
"Μόλις ξεκλειδωθεί το Mitsubishi Outlander, υπάρχει δυνατότητα για περισσότερες επιθέσεις. Ο διαγνωστικός έλεγχος αυτοκινήτου δεν είναι προσβάσιμος όταν η πόρτα είναι κλειδωμένη." αναφέρουν οι ερευνητές.
"Δεν έχουμε εξετάσει τις συνδέσεις μεταξύ της μονάδας Wi-Fi και του Δικτύου του ελεγκτή (CAN). Είναι βέβαιο ότι υπάρχει πρόσβαση στο σύστημα infotainment από τη μονάδα Wi-Fi. Αλλά αν εκτείνεται στο CAN είναι κάτι που χρειαζόμαστε περισσότερο χρόνο για να το ερευνήσουμε."
The researchers contacted Mitsubishi and shared their findings responsibly. Of course, this was after they published her findings researchbecause Mitsubishi initially ignored them.
The company is currently developing a new firmware for the Mitsubishi Outlander SUV Wi-Fi unit to correct mistakes. Until its release however, it informed owners that they would disable Wi-Fi using the "Cancel VIN Registration" option.
The company has indicated that it is willing to work with the researchers to understand and solve the problem.
