In a blog entitled “Hack it like you Stole it”, David Lodge, CHECK Team Leader, Pen Test Partners has exposed poor vehicle security from Mitsubishi. The story revolves around the Mitsubishi Outlander plug-in hybrid electric vehicle (PHEV) which is rated as the second best hybrid SUV by Car Buyer.
The majority of modern cars, especially upmarket cars, come with a range of remote control apps. According to Pen Test Partners these typically rely on a web service which is hosted by the car manufacturer or their service partner. Connection between the web service and the car is done using a GSM module located in the car. The result is that you can talk to your car from anywhere you can get access to mobile data.
The trouble with Wi-Fi
It turns out that Mitsubishi decided to go a different route and use a Wi-Fi access point located inside the car. Many cars come with Wi-Fi access points fitted today in order to allow passengers and drivers access to the Internet while driving. This is especially useful for those using the new generation of free Internet-based Sat Nav such as Waze, Scout and Google Maps. It also ensures that new content can be downloaded to the on-board entertainment systems.
According to the blog, to use the Wi-Fi to access car functions users have to disconnect from all other Wi-Fi networks and connect directly to the car. The blog takes the view that this is probably a cost cutting issue by Mitsubishi to avoid developing an app and paying contract and hosting fees. It could just as easily be seen as a way to reduce the risk of outside attacks, something that has become an issue with a number of GSM-based systems in recent years.
One issue is the open broadcast nature of the Wi-Fi. Lodge disclosed that: “The access point has a unique SSID fortunately. It is of the format: [REMOTEnnaaaa] where ‘n’ are numbers and ‘a’ are lower case letters. This means that you can search wigle.net and easily geolocate Outlander PHEVs.” A quick search on WiGLE and over 500 Outlanders worldwide were detected showing where they were located. Many of these locations will be home addresses of the owners.
Each Outlander comes with its own unique Wi-Fi pre shared key just as any home Wi-Fi hotspot does. In this case the key is printed inside the user manual to save customers climbing under the dashboard to find it. Ultimately it is the weakness of that key which is the main issue here. In the blog, Lodge claims that it took less than 4 days to crack the password using their own setup. He went on to say:
“A much faster crack could be achieved with a cloud hosted service, or by buying more GPUs.”
Lodge and his team purchased an Outlander on which to practice. This meant that they had all the time in the world to capture the handshake between the owner and the car. In the real world, parking a van near the home of an Outlander owner and using a laptop connected to the Internet would enable a thief to capture the handshake and send it to a cloud service to be cracked. Criminals are already using cloud services to crack other encryption and it would not take long to set this up.
Hacking the system
For simplicity, it also appears that Mitsubishi decided to stay with a single IP address for all of its cars. What Lodge and his team did was to connect to it, start a man in the middle attack and sniff the Wi-Fi connection.
It didn’t take long for the team to decode the binary protocol being used for the messaging. Their first success was turning the lights on and off. This would quickly run down a battery leaving a user who had parked for the day at the mercy of being unable to start their car when they returned to it at night.
They then moved on to getting the car to charge using premium rate electricity. This would hit the owner in the pocket especially as many people have no way to check what is drawing power. Lodge makes it clear that this is no different from the Nissan Leaf hack but this does suggest that Mitsubishi and other car manufacturers are not cooperating when it comes to hacks. This is something that was also evident from the recent US Government Accountability Office (GAO) report on the risks associated with hacking cars.
Even the car alarm could be disabled
This is probably the piece that will worry owners the most. The ability for a hacker to disable the car alarm and therefore get into the car. Lodge points out that once access has been gained the hacker would be able to connect to the on-board diagnostics port. This would enable the hacker to embed code into various systems inside the car or even start the car and then drive away.
Lodge says that his team were able to connected to the on-board entertainment systems but hadn’t yet tried to connect to the main communications bus in the vehicle. If they are able to connect to that then they will be able to take control of any part of the vehicle from brakes to accelerator.
Mitsubishi cooperating on a fix, eventually
The good news for owners is that it appears that Mitsubishi has been cooperating and providing technical data to Pen Test Partners. The bad news is that it only happened after the whole hack was disclosed to the BBC which forced Mitsubishi’s hand.
The blog gives a short-term fix to make it harder for hackers to gain access to the Wi-Fi. Lodge believes that it is likely that Mitsubishi will respond with its own medium-term fix shortly which would take the form of a firmware patch. Whether that will be made available to customers directly or whether it will require a visit to a dealer for a no-charge upgrade is yet to be announced. The latter would certainly be the best approach.
A long-term fix will take more work. Lodge is adamant that the best approach is to re-engineer the way the Wi-Fi connection is managed or even spend the money it should have done and join other auto-manufacturers and create a GSM solution. Even this isn’t foolproof.
The GAO report said that two-thirds of manufacturers currently believe that it would take too much effort in both time and money for hackers to attack over the GSM link. This is not only naïve but irresponsible. The hacker community loves a challenge as much as it loves a high profile attack. Groups will come together to share data free of charge in order to be associated with any attack that will get through the majority of the GSM systems currently in place.
In a response to the publication of this attack Justin Harvey, chief security officer at Fidelis Cybersecurity, said: “There is no doubt that owners of Mitsubishi Outlander hybrid cars will be reluctant to hit the road after this latest hack – at least until it has been resolved. Indeed, it’s not the first time we’ve seen hackers gain access to a car system; it’s reminiscent of the security vulnerabilities found by researchers in the Jeep Cherokee last year. The problem is that any time you connect physical devices, objects or machines to the internet, you are taking the risk that these could one day be compromised due to vulnerabilities.
“While it’s surprising that these vulnerabilities were not detected by Mitsubishi beforehand, both consumers and enterprises must evaluate the risks of Internet of Things (IOT) devices before implementing them. The physical nature of these ‘things’ represent a kinetic danger to the real world and, in reality, they can could cause an accident or a serious injury. While no damage has been done on this occasion, there is no doubt that similar vulnerabilities will be detected in the years to come.”
Just like white and brown goods manufacturers the automobile market seems to be in partial or even full denial of the seriousness of the security situation. Using cheap solutions to keep within a Bill of Materials might be an excuse that the manufacturer of a £200 washing machine could get away with. When it comes to a car whose list price starts at £31, 749 (Mitsubishi UK web site), going cheap is something that customers will not expect. It also damages the brand which, after the emission scandal, needs this like a hole in the head.
This is just the latest of a long line of automotive hacks that have been disclosed. So far, apart from TV shows and films, there is no evidence that any of these hacks have caused injury or death to anyone but we cannot be far off that claim being made in a court case. The longer the automotive industry continues to treat security as a minor issue the worse the situation will get. Let’s hope that this is the wake-up call for Mitsubishi.