Mitsubishi may have needed to cut some corners recently, but one odd decision the nice folks of the diamond-star made has left a huge security hole. The 2016 Mitsubishi Outlander PHEV plug-in hybrid’s mobile app talks to the car over regular WiFi, and security researchers found that to be a big problem.
It’s an odd way of connecting a mobile app to a car. Most carmakers have mobile apps that talk to a server on the internet, and the car receives the data and instructions from the server via a GSM module providing a cellular signal.
Mitsubishi is using WiFi for their mobile app to communicate with the car, which eliminates the need for an intermediary server and cellular service for the car, but would limit the range of control to just standard WiFi range, which isn’t really all that much.
Pen Test Partners spent some time with the Outlander after noting the unusual method used to connect the car and the app, and got some alarming results.
In addition to the low range, the WiFi solution doesn’t offer much in the way of security. The key to the car’s WiFi network is on a bit of paper in the car’s glovebox, and the WiFi signals can be intercepted and recorded without much effort.
The WiFi key itself is fairly easy to crack, with the Pen Test team cracking it on a relatively modest computer in just a couple days. They determined that anywhere between one and four days should be able to crack the code on modest hardware.
By eavesdropping on the signals between the app and the car, they found a relatively straightforward messaging protocol. They also found that the IP address was static, 192.168.8.46:8080, and were soon able to turn lights on and off, and control the HVAC system.
Eventually, and most unsettling, they were able to defeat the car’s alarm system remotely. Also unsettling was Mitsubishi’s initial response to the story:
Initial attempts by us to disclose privately to Mitsubishi were greeted with disinterest. We were a bit stumped at this point: As so often happens, the vendor takes no interest and public disclosure becomes an ethical dilemma.
So, we involved the BBC who helped us get their attention. Mitsubishi have since been very responsive to us! They are taking the issue very seriously at the highest levels.
A medium term fix is being worked on now.
The convenience of a mobile app that can access a car’s features is great, and part of me respects Mitsubishi’s clever but flawed attempt to make a cheaper remote-access car app solution without having to deal with a cellular module. But if they’re going to do this kind of thing, they need to take the security seriously.
I’m sure at some point carmakers will finally start taking electronic car security seriously, but it doesn’t appear we’re quite there yet.
(Thanks, Jesse!)