Yet another car can be hacked this time it’s the Mitsubishi Outlander hybrid
Mitsubishi urged to recall at least 100,000 cars after hackers remotely turned off the alarm system, controlled the lights and drained the battery
A team of security researchers are calling on Mitsubishi to recall at least 100,000 Outlander hybrid cars after exposing a security breach that allowed the hackers to remotely turn off the cars alarm system, control the lights and drain the battery.
Ken Munro, the security expert who led the investigation, was tipped off about the vulnerability when his friends Outlander showed up as a wifi access point on his phone. Curious, he bought one of the cars himself and set about hacking it.
Modern cars with their own smartphone apps, which offer a way of monitoring features such as battery level and alarm status, usually connect through a web-based service that uses GSM, a mobile data communication channel. But the Outlander uses wifi to connect the car directly with a smartphone, which is less secure and allowed Monroe to disable the alarm and then open the car.
Describing the hack methodology and solutions, Munro speculates that the cars insecure software system was probably a result of cost-cutting by Mitsubishi. I assume that its been designed like this to be much cheaper for Mitsubishi than [the more secure] GSM/web service/mobile app based solution, wrote Munro, a partner at security research firm Pen Test Partners. Theres no GSM contract fees, no hosting fees, minimal development cost.This has a massive disadvantage to the user.
Not only could Munro control access to the car, but he found he could also easily geolocate a car and track it: A thief or hacker can therefore easily locate a car that is of interest to them, Munro wrote.
Last year, hackers took over a Jeep while Wired reporter Andy Greenberg was driving it 70 mph down a freeway. In March, the FBI issued a warning that cars are increasingly vulnerable. Subsequent hacks have highlighted vulnerabilities in the Nissan Leaf and the Tesla Model S.
Modern motor vehicles often include new connected vehicle technologies that aim to provide benefits such as added safety features, improved fuel economy, and greater overall convenience, the public service announcement reads. Aftermarket devices are also providing consumers with new features to monitor the status of their vehicles. However, with this increased connectivity, it is important that consumers and manufacturers maintain awareness of potential cybersecurity threats.
The most appropriate long-term solution in the Mitsubushi case is a recall, Munro wrote. Mitsubishi need to re-engineer [the system] method completely, he wrote. Words like recall spring to mind.
The hitch came when he reached out to Mitsubishi. Initial attempts by us to disclose privately to Mitsubishi were greeted with disinterest, Munro wrote. We were a bit stumped at this point: As so often happens, the vendor takes no interest and public disclosure becomes an ethical dilemma.
When Munro contacted the BBC Mitsubishi immediately responded, issuing a statement saying that they were taking the matter seriously and wanted Munro to meet with their engineers in Japan. This hacking is a first for us as no other has been reported anywhere else in the world, is said, adding: It should be noted that without the remote control device, the car cannot be started and driven away.
Mitsubishi US representative Alex Fedorak said he had nothing to add to the companys previous statement. Asked whether Mitsubishi would be recalling the cars, Fedorak wrote good question.
Mitsubishi has subsequently recommended that Outlander owners deactivate the wifi system until further notice.