Thieves can turn off car alarm without your keys
What the latest car hack on a Mitsubishi Outlander means for you, no matter what car you drive.
You might wish for a way to shut off someone else’s car alarm when it’s blaring incessantly and there’s no car owner in sight. Now, security investigators have found a way to hack into a car alarm system and turn it off, making it easier for thieves to get away with your car unnoticed.
The researchers with Pen Test Partners found the security gap on just one kind of car—the Mitsubishi Outlander hybrid SUV.
“This is shocking and should not be possible,” they wrote in a post.
Some ask why the vehicle maker allowed this kind of security gap in its cars.
“Mitsubishi should have taken security further and hired experts to test the system,” said Jim Feely with Archer Security Group.
“There is no doubt that owners of Mitsubishi Outlander hybrid cars will be reluctant to hit the road after this latest hack—at least until it has been resolved,” Justin Harvey with Fidelis Cybersecurity said to Help Net Security.
How it happened
Ken Munro with Pen Test Partners told the BBC that it all started when he went to pick up his kids from school and saw an unusual Wi-Fi access point show up on his smartphone.
It was his friend’s Mitsubishi Outlander, and his friend showed him how the car’s app could control various parts of the car.
“I got playing with it and soon realized it was vulnerable so I stopped,” he said to the BBC.
He bought his own “big-selling” Outlander plug-in hybrid electric vehicle and started to investigate.
Most remote control apps use a web service to connect the app to the car, Pen Test Partners said, but the Mitsubishi Outlander is different. It uses a Wi-Fi access point on the car to communicate, possibly a cheaper option for the car maker.
“Unfortunately, we found that this system had not been implemented securely,” researchers said.
They cracked the Wi-Fi key, then found they could control the lights and the temperature, as well as forcing the car to charge up on “premium electricity” or draining its battery.
“This is remarkably similar to the Nissan Leaf hack, though the next part is far worse than that,” they wrote.
They found ways to map out the locations of other Mitsubishi Highlanders and, ultimately, disable alarms, a little too easy for thieves who want to target a specific person or car.
“The Pen Test Partners were able to find and exploit the Wi-Fi vulnerability in just a couple days’ work,” said Feely.
“Vulnerability assessments and penetration testing should be standard practice for manufacturers of connected vehicles,” he added. “Compared to the costs of design, engineering, manufacturing, and marketing, the cost of a few days of security review and testing by a third party is minimal.”
What did Mitsubishi think about Munro’s discovery?
“Initial attempts by us to disclose privately to Mitsubishi were greeted with disinterest,” Pen Test Partners wrote.
“So, we involved the BBC who helped us get their attention,” the post continued. “Mitsubishi have since been very responsive to us!”
Mitsubishi is now working on a fix. The company told CBS MoneyWatch that it is investigating the problem.
“This is the first reported incident of hacking involving any Mitsubishi vehicle to date,” the company said in a statement. “To be clear, the subject hacking has no effect on the ability of the consumer to safely start and drive the vehicle.”
“This hack only pertains to the smartphone app and has limited actual impact on the vehicle itself,” the statement added. “This app can only control the vehicle alarm, the HVAC system the lights, and the battery charging schedule. While this app also monitors the status of the vehicle’s doors and hood (open/closed), it cannot lock or unlock them.”
Your next step
If you own a Mitsubishi Outlander, Munro has some recommendations for you.
“Unpair all mobile devices that have been connected to the car access point,” the post said. “First, go to the car and connect your mobile phone to the access point on the car. Then, using the app, go to ‘Settings’ and select ‘Cancel VIN Registration.’”
After the devices are unpaired, the Wi-Fi module cannot be powered up again until you press the car remote key ten times, according to Pen Test Partners.
“This has the side effect of rendering the mobile app useless, but at least it fixes the security problem,” the post said.
Mitsubishi needs to “urgently” send out new firmware for the Wi-Fi module, Pen Test Partners recommended, and in the long term, it needs to re-engineer the car’s Wi-Fi connection system.
Wait to buy?
This may be a sign that car makers have not work out all the bugs in the new technology that appears in their latest models, some cybersecurity experts say.
“Consumers should wait a couple of years after new features like this are introduced,” said Feely. “Early adoption of connected technologies in major purchases like vehicles is risky, both in cost and safety.”
“From what I’ve seen in the last couple years from security researchers, the automobile industry is putting forth minimal effort to protect their products from electronic threats,” he said.
This is not the first revelation of security holes in connected cars. Researchers have hacked the Nissan Leaf, Tesla Model S and the Chrysler 2014 Jeep Cherokee, among other demonstrations of car security vulnerabilities.
“The most startling was the attack staged on the Jeep which allowed the researchers to take control of the vehicle remotely,” reported the BBC. “The discovery led to 1.4 million vehicles being recalled for a software update.”
The Federal Bureau of Investigation and the National Highway Traffic Safety Administration warned people and car makers in March that connected cars can be hacked.
“While not all hacking incidents may result in a risk to safety—such as an attacker taking control of a vehicle—it is important that consumers take appropriate steps to minimize risk,” the warning said.
It recommended that you keep your car’s software up-to-date, but not rely on e-mail notices from car makers, because the e-mails could be faked by crooks trying to trick you into downloading malicious software.
The FBI and NHTSA said you should check your car’s VIN for recalls at least twice a year at http://vinrcl.safercar.gov, as well as verifying any information you receive about a cybersecurity recall or update.
“Check on the vehicle manufacturer’s web site to identify whether any software updates have been issued by the manufacturer,” the warning said. “Avoid downloading software from third-party web sites or file-sharing platforms.”
The FBI and NHTSA, as well as cybersecurity experts, advised that the car vulnerabilities are a sign of things to come.
“As more and more objects join the Internet of Things, high-end items such as connected cars will become increasingly attractive targets for hackers,” Simon Moffatt with ForgeRock said to Help Net Security.
“While it’s surprising that these vulnerabilities were not detected by Mitsubishi beforehand, both consumers and enterprises must evaluate the risks of Internet of Things (IoT) devices before implementing them,” said Harvey in the article.
“The physical nature of these ‘things’ represent a kinetic danger to the real world and, in reality, they can could cause an accident or a serious injury,” he explained. “While no damage has been done on this occasion, there is no doubt that similar vulnerabilities will be detected in the years to come.”