Researchers find ways to hack into on-board functions of Outlander PHEV
Mitsubishi is the latest car maker to fall victim to software hackers, with the security and on-board functions of its Outlander PHEV plug-in hybrid compromised this week.
Customers should be pleased to know, however, that access to the vehicle’s systems was gained not by hackers with malicious intent, but by ‘whitehat’ security researchers focussed on uncovering system weaknesses and alerting the company concerned.
The hack, carried out by American company Pen Test Partners, saw the vehicle’s alarm disabled remotely – although not its immobiliser – when the team bypassed the security of an iPhone and Android mobile app designed to allow owners access to various functions of their Outlander PHEV.
Disabling the alarm did not allow the vehicle’s interior to be accessed from outside, however, which would protect its physical ‘OBD’ diagnostics port from being connected to and therefore limiting the functions that can be controlled or modified.
As readers learned in July last year when a Jeep Cherokee was hackedfor similar purposes, access to the vehicle’s interior can lead to hugely dangerous results.
In the case of the Outlander PHEV, however, reaching the vehicle’s systems through its mobile app limited access to control of the lights, heating and air conditioning, and the scheduling program for the vehicle’s battery charging system.
“Next, we messed around with the charging programme, from which we could force the car to charge up on premium rate electricity,” the group reported.
Remote access via mobile apps is becoming an increasingly common feature of new models, and most manufacturers claim that security and customer safety is paramount in the development of these platforms. Indeed, some, like Tesla, invite hackers to assault their security systems in order to uncover weaknesses.
In the case of the Outlander PHEV, the group claims that the coded security ‘key’ that allows the mobile app access to the vehicle is “too simple and too short”, enabling the group to crack the code “on a 4 x GPU cracking rig at less than 4 days. A much faster crack could be achieved with a cloud hosted service, or by buying more GPUs”.
Although a number of other hurdles were encountered, the group reports that, in all, gaining access to the vehicle’s systems – and indeed locating individual Outlander PHEVs on a map through online services – was all too easy.
Mitsubishi has confirmed with the UK’s BBC news service that it is taking the discovery seriously and has begun work on a fix.
The company’s local arm has confirmed that it is investigating the potential impact to cars sold in Australia, although it is understood that there have been no reported incidents with customer cars anywhere in the world.
In the short term, Pen Test Partners suggests the following peace-of-mind ‘fix’ for owners:
Unpair all mobile devices that have been connected to the car access point.
First, go to the car and connect your mobile phone to the access point on the car. Then, using the app, go to ‘Settings’ and select ‘Cancel VIN Registration’:
Once all paired devices are unpaired, the Wi-Fi module will effectively go to sleep. It cannot be powered up again until the car key remote is pressed ten times. A nice security feature.
This has the side effect of rendering the mobile app useless, but at least it fixes the security problem.
“Our counterparts in Europe have recommended that, at this early stage and until further technical investigation, customers who are concerned about their vehicle should deactivate the WiFi using the ‘Cancel VIN Registration’ option on the app, or by using the remote app cancellation procedure,” Mitsubishi Motors Australia corporate communications manager Shayna Welsh told CarAdvice today.
“In the meantime, the hacking is a first for Mitsubishi Motors as none other has been reported anywhere else in the world.
“Of course, Mitsubishi Motors takes this matter very seriously and our company’s specialists will be deployed to better understand the issue.
“Whilst obviously disturbing, from the reports this hacking only affects the car’s app, therefore having limited effect to the vehicle (alarm, charging, heating). It should be noted that the hacking activity described has not affected the vehicle’s immobiliser and without the smart key control device, the car cannot be started and driven away.”
A spokesperson for Mitsubishi NZ said while it was obviously disturbing, from the reports the hacking only affected the car's app, therefore having limited effect on the vehicle, for example the alarm, charging, heating.
"The hacking activity described has not affected the vehicle’s immobiliser and without the smart key control device, the car cannot be started and driven away.”
Mitsubishi Motors NZ agreed with its Australian counterpart regarding the hack for vehicles in New Zealand.