The Mitsubishi Outlander is a popular hybrid SUV sold around the world. However, the owners of the vehicle may find themselves in unpleasant surprises if intruders take advantage of security vulnerabilities in the setting that allows the car to be controlled remotely through an application.
Weaknesses in the Mitsubishi Outlander SUV were discovered by Pen Test Partners, and include:
The mobile app connects to the car through one point access Wi-Fi present in it, instead of a web service and from a GSM module. This makes it impossible to access unless someone is within range wirelessy network of the car.
This wireless Wi-Fi network has a shared key that is written on a piece of paper included in the owner's manual, but its format is very simple and very short, allowing attackers to crack it easily and relatively quickly.
The car's Wi-Fi has a unique SSID, but in a predictable form. This allowed researchers to discover the geographical location of various outlanders across the UK.
After discovering the SSID and the pre-shared key, they were able to connect to a static IP address on a network's subnet, allowing them to monitor the Wi-Fi connection and also send messages to the car.
Through these messages they were able to flash the lights, the car's air conditioning and the heating. They were also able to change the program charging and, most importantly, to disable the car's anti-theft alarm.
"Once the Mitsubishi Outlander is unlocked, there is room for more attacks. The car diagnostic test is not accessible when the door is locked. ” the researchers report.
"We have not examined the connections between the Wi-Fi module and the Controller Network (CAN). It is certain that the infotainment system is accessible from the Wi-Fi module. But if it extends to CAN it is something we need more time to research. ”
The researchers came in contact with Mitsubishi and shared their discoveries responsibly. This of course happened after they published their research findings, because initially Mitsubishi ignored them.
The company is currently developing a new firmware for the Mitsubishi Outlander SUV Wi-Fi unit to correct mistakes. Until its release however, it informed owners that they would disable Wi-Fi using the "Cancel VIN Registration" option.
The companysignalthat she is willing to work with researchers to understand and solve the problem.