As more and more of our devices become connected to the internet, so does the risk of one of these devices being hacked increase. And perhaps no thought is more troublesome than the one of your brand new smart car being remotely hacked. And this is exactly what happened with Mitsubishi’s Outlander Hybrid SUV.
Now before you get panicky, let us just say upfront that this isn’t one of those stories. The car wasn’t hacked while it was speeding down the highway at 70 miles per hour, nor did the driver lose control over the car’s transmission or any of its systems. But the car’s security system was disabled and some of its electronics were compromised as long as the hackers were in close proximity.
The hackers, in this case security researchers testing the car’s systems, discovered that Mitsubishi’s $60,000 Plug-in Hybrid (PHEV) SUV relies on a local Wi-Fi access point to connect to the car’s smartphone app. The app generally allows users to remotely but locally turn on the car’s cooling or heating systems, turn on headlights, control the car’s alarm and so on.
But thanks to the way the local Wi-Fi AP is implemented, and to its way-too-easy-to-crack pre shared key (PSK), hackers can also easily get access to the car’s system. Researchers proved this by hacking the PSK with a brute-force attack and connecting to the car’s system while it was in Wi-Fi range. What’s worse is that the PSK can’t be manually changed.
The Wi-Fi’s SSID (the name of wireless connection) also uses a standard format for all the cars, meaning that a malicious hacker could use websites like Wigle.net to track the location of Mitsubishi’s PHEV SUVs and find one that’s vulnerable.
Now, once the researchers found the car, in this care their own vehicle, cracked the Wi-Fi password and connected to the car’s system, they were able to reverse engineer some of the commands that the car was capable of accepting.
With a laptop and a bit of code they were able to imitate all the smartphone app commands and had taken at least partial control over the car. They were able to change the car’s charging schedule, turn off heating or cooling and so on.
But perhaps the most egregious possibility is that they managed to turn off the car’s alarm and security systems, essentially leaving the car wide open to anyone looking to steal the car.
While originally Mitsubishi elected to ignore the problems that the researchers brought up, as soon as the story became public the company began working on a long-term fix. In the short term owners looking to be more secure are advised to disable the car’s Wi-Fi system following these instructions.
This is just one more example that cars and their manufacturers need to take digital security much more seriously. As the target area of attack increases exponentially, and the internet of things takes hold, good security systems and security practices become vitally important.
Source: Pen Test Partners | Image via Mitsubishi
26 Comments - Add comment