Researchers Hack the Mitsubishi Outlander SUV, Shut Off Alarm Remotely

Reader Orome1 writes: Mitsubishi Outlander, a popular hybrid SUV sold around the world, can be easily broken into by attackers exploiting security weaknesses in the setup that allows the car to be remotely controlled via an app. After discovering the SSID and the pre-shared key, they connected to a static IP address within a network's subnet, and this allowed them to sniff the Wi-Fi connection and send messages to the car. Through these messages they were able to turn the car's lights, air conditioning and heating on and off, change the charging programme and, most importantly, to disable the car's anti-theft alarm.

Total hax, man

But if you resort to meaningless terms, you aren't doing any science any longer, if you ever were. So, no, you're not researchers.

Also, you said "hack", so now you need to be locked up. It's the law!

Re: Total hax, man

What if you own the SUV ?

Seems to be that if you own it, you have the right to research it / hack into it.

Re: Total hax, man

My favorite Outlander hax is when you hold down the radio power button and start the car in a ring of standing stones during a full moon, it sends you back in time.

Re: Total hax, man

haha funniest thing I've read in months!

Re: Total hax, man

Never heard of the DMCA, eh? It says that no, you cannot do whatever you like with stuff you own at all. Or the law criminalizing "Computer Hacking", while conspicuously failing to define what that is, meaning it can be applied "at will". In turn meaning that saying "I hacked" implies you broke the law and now need locking up. So no, ownership is not a valid legal defense.

But the point was that "hacking" no longer means anything, the very antithesis of the goal of "research", so if you claim to be a "researcher" then proceed to claim you "hacked" anything at all, then no, you weren't doing "research" in any meaningful way. For if you were, you could describe it in meaningful terms, and didn't need to handwave it with a meaningless term. What use is gathering knowledge then being unable to articulate it and share it? That is useless. Useless research is not research, it is useless.

Re: Total hax, man

[viperidaenz]

Have you read the DMCA? Security researching is explicitly exempt.

It was also not done in the USA, so I don't know what the DMCA has to do with it at all.

Re: Total hax, man

[davester666]

It has to do it that way, because it can't get up to 88 mph.

Surprise surprise

More second rate engineering from car manufacturers. After seeing stuff like this, I can't imagine why someone would want an even more complex car like a Tesla.

Re:Surprise surprise

[WarJolt]

Tesla doesn't have the same engineering model. Most car manufacturers have internal cultures that prize these simple lightweight solutions because they need to design for incredibly low margins. They hire tons of EEs to write software who've never been formally trained in network security. They implement custom unproven protocols for EVERYTHING. Basically everything we've done to make the internet work they ignore and think they know better.

Re:Surprise surprise

[cayenne8]

More second rate engineering from car manufacturers. After seeing stuff like this, I can't imagine why someone would want an even more complex car like a Tesla.

Yep.

I just can't WAIT for my more connected car...then, my fucking SELF driving car...yeah, nothing can go wrong there....

[rolls eyes] I supposed all these years of me physically driving and being responsible for for the cars behavior, good to throw that all out the window.

I as a human, can't really be hacked remotely like this (I keep my tin foil hat on at all times)....but sure, let's throw that model out, and trust the car companies that so far, have NEVER shown the proclivity to actually secure their systems they have to date....to control our transportation future.

Long Live the Johnny Car!!!

Re:Surprise surprise

[0100010001010011]

Yep. This is what happens when you make EEs design network stuff. Stuff like the CAN bus is incredibly open because it wasn't thought of as a network that needed 'security'. If our cars are going to have networks they need to hire people that take care of 'traditional network' security.

You know some Terminator is going to exploit this

[NotDrWho]

Pretty soon, poor John Connor will have Mitsubishi after Mitsubishi chasing him down.

Remotely control the car via. app

Who ever thought of this should get a Nobel Prize.

Re:Remotely control the car via. app

Tomorrow Never Dies showed that off in 1997.

Because, after all, tomorrow never dies, but the people that inhabit it certainly do. Probably in a fiery auto crash. Life is rough when you're James Bond. That's why you should always bone the asian secret agent on a piece of floating debris from the bad guy's ship. But only after you bone Lois Lane and get her jealous husband to have her assassinated.

Wait... this was supposed to be about OTHER stuff James Bond does in the back seat of a BMW... Like drive that BMW using his Nokia phone. And not accidentally bump *-3-Send.

CAPTCHA: Sinking. Why, yes, there was a sinking ship in that movie! The HMS Devonshire.

Re: Remotely control the car via. app

David Hasselhoff claims prior art!

GMC

"Through these messages they were able to turn the car's lights, air conditioning and heating on and off" Has this been done for a 2015 GMC Acadia? If so has anyone rolled them in to an app to compete with onstar?

IOT = Internet of Troubles

[scsirob]

In their effort to make things ever easier for consumers, and to improve time-to-market, manufacturers skip the most basic security best practices.
This will kill the IOT market in general. Ever more gadgets with ever weaker security.

Re:IOT = Internet of Troubles

[Hentes]

Now I'm not a fan of IoT either but this has nothing to do with it. It's just a badly set up WLAN (with no internet access).

Re:IOT = Internet of Troubles

You need a hacker to go to for all of your cyber issues from

facebook,gmail,whatsaapp,textlogs hacks to bank acct hacks to credit hacks to website hacks

to upgrade of score, then steelbreaker is the one you should consult, he's usually busy but

he'll find time for you
outlook- robertcartercasting
m- +1 928-323-3115

Mitsubishi still makes cars?

[damn_registrars]

They've been at the top of the list of "Japanese car makers that won't be around much longer" for a few years now. So few of them are sold in the US currently that I was starting to think perhaps they quietly went under or were absorbed by Toyota. Their long running Lando Calrissian approach to car manufacturing can only last so long, really.

Re:Mitsubishi still makes cars?

They've been at the top of the list of "Japanese car makers that won't be around much longer" for a few years now. So few of them are sold in the US currently that I was starting to think perhaps they quietly went under or were absorbed by Toyota. Their long running Lando Calrissian approach to car manufacturing can only last so long, really.

This has been one of the best selling SUV's in the UK for the last few years due to some very high tax breaks given to plugin hybrids, especially if you take it as a company car.

Re:Mitsubishi still makes cars?

It would help if they could build cars that were not junk. The bodies were good, electrics not bad, but engines and transmissions were garbage, generally the cars were worn out by the time it had 120k miles / 200k km on the clock. I had several of their cars from the 80s in the 90s both JDM and locally assembled, by the time they were 10 years old they were tired oil burners (worn valve guides were common). JDM Subarus from the early 90s were not much better either. The Lancer Evolution series was half decent - but these were go fast toys, not the average mans car. However Nissan and Toyota were good bang for their buck.

The Mitsubishi Magna was pretty popular in Australia during its run, then the Mitsubishi 380 was supposed to continue that, but flopped, probably the same reason the Australian Ford Falcon has one foot in the grave - people didnt want 4-door sedans or wagons anymore. GM/Holden is hanging in there mostly because their Zeta platform (VE/VF Commodore) was designed with export markets in mind - otherwise known as the Pontiac G8 and now Chevy SS in the US. Oddly the Chevy SS never gets advertised here in the US, its all trucks (Silverado) or smaller cars - Cruze, Impala and Malibu.

Re:Mitsubishi still makes cars?

I should have added that, the Police forces in the US like the Australian GM cars - badged as Chevy Caprice, 9 times out of 10 when I see a Washington State Patrol car its one of these. Easy to spot if you're familiar with the body shape.

Re:Mitsubishi still makes cars?

Oh and if you have watched the Myth Busters episode with the U2 spy plane, the cars used by the USAF to chase the plane during landings are Pontiac G8!

Re:Mitsubishi still makes cars?

Mitsubishi cars are a rare sighting in the US. In the 90s there used to be several dealerships in Santa Clara County (Silicon Valley), now there is only one in San Jose and sits on the side of a Subaru dealer. They share the lot space with the used cars and don't even have permanent signage, it is a hanging plastic tarp with "Mitsubishi Motors" printed on it. I know the company closed its manufacturing facility in Illinois and imports cars from Japan. With so few dealerships and a reputation for poor quality, I don't see them doing well.

Re:Mitsubishi still makes cars?

[h4ck7h3p14n37]

The last time I checked, Mitsubishi was at less than 0.6% of the U.S. market. Apparently Mitsubishi is a big enough corporation that low sales volume of their automobiles in the U.S doesn't matter much. The dealer claims they're not going anywhere.

If you're looking to buy a reasonably priced, turbo, AWD vehicle you don't have much choice between Subaru and Mitsubishi unless you're willing to spend twice as much.

Re:Mitsubishi still makes cars?

[damn_registrars]

If you're looking to buy a reasonably priced, turbo, AWD vehicle you don't have much choice between Subaru and Mitsubishi unless you're willing to spend twice as much.

There is certainly a segment of the market that values the Evo and the WRX STI. I am not of that segment and it goes beyond my disdain for whale tails on my back bumper.

To me, those cars answer a question I have never asked or felt a reason to ask. I have never found myself looking for a car with massive turbo lag, poor fuel economy, a back seat that nobody over 5'8" can sit in for more than 10 minutes, and a requirement for premium gas. Sure, they are fast with the turbo fully spooled up and running wide open but before that happens they are not very impressive and they really don't have a point where their fuel economy is ever even slightly impressive for their size and price. Real world fuel economy on the decked out Evo or WRX STI is close to that of the Ford F150 EcoBoost, which is not much slower but vastly more utilitarian (and runs on regular gas).

Re:Mitsubishi still makes cars?

[bobbutts]

Focus RS recently crushed the STI and Golf in a Car and Driver comparison test http://www.caranddriver.com/comparisons/2016-ford-focus-rs-vs-subaru-wrx-sti-vw-golf-r-comparison-test. The more recent turbos have much less lag vs. the older ones. I have a '15 Forester XT that replaced an '07 (similar engine to the wrx) and the difference is obvious and substantial.

Re:Mitsubishi still makes cars?

[0100010001010011]

quietly went under or were absorbed by Toyota.

Seriously? Mitsubishi is in mining, shipbuilding, telecom, financial services, insurance, electronics, automotive, construction, heavy industries, oil and gas, real estate, foods and beverages, chemicals, steel, aviation and others.

It's a Japanese Keiretsu, they are not "quietly going under" or being "absorbed by Toyota" any time soon.

Re:Mitsubishi still makes cars?

They're the 16th largest auto manufacturer in the world according to wikipedia, majority control lies with Nissan now (though they remain part of the original parent Keiretsu), putting them into a combined 4th place.

Also keep in mind how small and insular the US motor industry is for foreign carmakers. China outweighs US car sales by 3:1, half the cars sold in the US are native brands from the big 3 with Toyota taking up the majority of the rest. It's not surprising Americans don't see a lot of Mitsis driving around.

Re:Mitsubishi still makes cars?

half the cars sold in the US are native brands

Half the cars sold in the US are Fords? Or does Opel count as a US brand nowdays?

Hmmm..

[wierd_w]

I remember about 8 years ago, mentioning that the proposed smart cars the industry was crowing about would be a hacker's paradise, because of compounding costs of manufacture driving security based design out the window.

Seems I was right, despite all the loud objections I got that called me crazy. Fancy that. /shameless self promotion

Really, these recent reports of hackable cars all fail for the same reasons: The car's internal network is presumed secure, instead of presumed hostile. This ignores the primary rule of security-- if you can get local access, the security should be assumed broken.

Ideally, the data being sent through the internal network should be encrypted with unique keys between components, initially seeded at the factory with unique one time pads. The wifi network should be isolated completely from the internal network as well, and any instruction given should have a handshake challenge before being accepted.

All of those things will increase the costs of the vehicle considerably though, which is why none of the manufacturers are doing it.

It will require federal legislation to impose regulations for vehicle safety before that happens.

Re:Hmmm..

[viperidaenz]

initially seeded at the factory with unique one time pads

Great way to increase the sales of genuine spare parts.
Wrecking yards won't be able to resell second-hand components.

Poor system design

[bobdehnhardt]

Every time I read about these, it strikes me that it all goes down to poor system design. The computers and functions dealing with the operation of the car need to be isolated from the entertainment systems, including WiFi, at least so far as inputs are concerned. Apps that allow the user to unlock the doors or start the engine, WiFi and OnStar systems that allow on-the-air updates of control software, these are all inherently insecure and always will be! They tie into systems that need to be air-gapped and only accessible via physical access to the car.

Security is almost always a trade off with utility or convenience. But auto makers have gone way too far, to the point of threatening public safety. These car computer systems need to be redesigned from the ground up with proper security practices and risk assessments in place.

Re:Poor system design

Yes, those systems should be independent, but we're not thinking about it like an electronics consumer.

To them, if something is hacked, it is hacked, and the thing in this case is a car. We see different layers of protection and can recognize the difference between doing DNS sabotage to load a fake web site and gaining access to a corporate database, they see a company being hacked.

On the other hand, we ask why being able to disengage the parking brake remotely from a phone app would ever be useful, and they perceive it as just another piece of the car, which can all be controlled by remote now (So cool!).

Re:Poor system design

[Gravis+Zero]

The computers and functions dealing with the operation of the car need to be isolated from the entertainment systems, including WiFi, at least so far as inputs are concerned.

sadly, i think that's something that will need the force of law before they will start abiding by such basic security precautions.

Re:Poor system design

You seem to be underestimating how useful these features are. Being able to turn on my engine and warm the car (read: melt the ice on the window so it's drivable) from my bed seems like a VERY useful feature. I already do this with a remote-start key fob, but being able to do it with an app seems more useful and more secure (I suspect my keyfob is 100% vulnerable to replay attacks.)

Re:Poor system design

Sorry but I am pretty sure I can do all that stealing any car's "pre-shared" (actual)key ... so what's the what?

Re:Poor system design

[nukenerd]

You seem to be underestimating how useful these features are. Being able to turn on my engine and warm the car (read: melt the ice on the window so it's drivable) from my bed seems like a VERY useful feature.

Fuel must be nearly free where you live; have you any idea of how inefficient that is? (and non-green, even though I am not a green fan much myself)

I leave an old rug on the windsceen overnight, and a hot water bottle in the car directly under the windscreen while I am eating breakfast. Anyway, I would feel extremely uneasy about starting my car remotely, especially if I could not even see it. It amazes me that it is legally possible.

Re:Poor system design

The computers and functions dealing with the operation of the car need to be isolated from the entertainment systems, including WiFi

Last time I worked in that industry most manufacturers just moved to a standardized IP based protocol for maintenance and how the send messages are translated to CANN and other specialized protocols. Basically there is a single run of the mill network with full access to everything and everything on it has full access to everything else ( i think only firmware updates were restricted with private keys). Want to stop a car? Just infect some unimportant infotainment system ( radio, navigation, etc. ) and have it pretend to be the brake or key.

Re:Poor system design

[POPE+Mad+Mitch]

The thing is that so far they have used the wifi to access only the functions that the wifi system is meant to have access to, those functions are supposed to be limited to the owner so yeah theres a security issue there, a mitm attack it reads like.

but. It doesn't give access to anything terribly exciting, or dangerous. "oooh scary they can drain the drive battery" (by activating the pre-heater), it's a hybrid, it has a petrol engine, that battery drain could cost you whole pennies in extra fuel on your journey. sigh.

If your going to freak out about security then the keyless door entry would be the more tempting attack vector, the old "use a signal booster to unlock the car" trick, then you have access to the OBDII port directly and could maybe cause some real problems.

Re:Poor system design

[EndlessNameless]

Anyway, I would feel extremely uneasy about starting my car remotely, especially if I could not even see it. It amazes me that it is legally possible.

I agree with the rest, but this I don't understand.

A remotely started car will still be in park, and it will remain locked. Now, the owner could unlock it from his basements and leave it running for hours, of course, but that would be rather stupid.

No matter

No one wants to steal a Mitsubishi anyway.

Simple solution

Disable all remote access. If necessary to open the hood and find the COM port to use this, then a criminal can steal the whole car as is.

What's Security?

Nissan had this same thing happen back in February for the app they had for the Leaf, although with their vulnerability you could only turn the AC on and drain the battery (https://tech.slashdot.org/story/16/02/24/1739227/nissan-leaf-hvac-hack-vulnerability-disclosed)

I don't understand why a car needs to be connected to the internet. Why do we make these 2000 lbs death sleds accessible to some teenager sitting in a basement halfway around the world. At some point people really need to weigh where this balance between convenience and security lies because right now ZERO though is being put into it.

Re:What's Security?

[wierd_w]

if done RIGHT, internet connectivity of the network of devices inside the car has all kinds of benefits.

1) devices that control fuel efficiency can have their firmwares updated by the manufacturer OTA, improving the product without ever taking it to a dealership for service.

2) Anomalies in function can be solved through the same mechanism as 1 above.

3) The obvious: Map data, fine location sensing from know wifi hotspots nearby, cloud data services, and other directly user-facing capabilities.

The issue: These vehicles do NOT do it right. They act like a local wired LAN, with each connected system treating the others as trusted peers, with no challenge/handshake or encryption. There is no digital signature checking on firmware or map data downloads, so man in the middle or local hacks are easy. These are terrible things, done out of cheapness and laxity of consideration for secure designs.

Re:What's Security?

[internerdj]

Don't forget it is also a stepping stone technology for a communication backbone for automated driving. Most of the add-on features today are small bites of the autonomous puzzle.

Re: What's Security?

I'm also opposed to autonomous driving. Call me a Luddite but I think there are limits to the things we should entrust technology too. What happens in 50 years when all cars drive them themselves, are networked and so done want to cripple our infrastructure. There will always be people out there discovering ways around the implemented security. Why is it that the most secure systems in to world with the most sensitive information air gapped.

Re:What's Security?

[smooth+wombat]

1) devices that control fuel efficiency can have their firmwares updated by the manufacturer OTA, improving the product without ever taking it to a dealership for service.

2) Anomalies in function can be solved through the same mechanism as 1 above.
________

Because what I want is someone I don't know fooling around with the car I bought and own any time they want without me knowing it.

That sounds completely logical.

Re:What's Security?

[nukenerd]

if done RIGHT, internet connectivity of the network of devices inside the car has all kinds of benefits.

1) devices that control fuel efficiency can have their firmwares updated by the manufacturer OTA, ... without ever taking it to a dealership for service.

....
Most people do take their car for a routine service anyway. Such updates cannot be that urgent.

2) Anomalies in function can be solved through [firmware updates]

No thanks. I have a Jeep Grand Cherokee and there were some rare cases of the transfer case (TC) putting itself into neutral while parked (the circumstances seemed dubious according to Jeep owners' forums). If the owner had not bothered to apply the handbrake also the car could roll away. Jeep's "solution" to absolve themselves was a software patch to fix the TC in High (ie normal road) ratio. This disabled neutral but also the Low ratio, thus limiting its usefulness as an off-roader etc (I have pulled tree stumps out with mine in "Low").

Result was a load of owners (including me) not wanting to let a dealer plug their car into their computer (which would promptly upload this patch). I generally have the same attitude to car software patches as I have to the Windows 10 "upgrade". And I apply the handbrake when I park.

Re: What's Security?

[EndlessNameless]

What happens in 50 years when all cars drive them themselves, are networked and so done want to cripple our infrastructure.

That is simple enough. Require autonomous vehicles to be capable of navigating safely without network connectivity.

Since manually-driven vehicles and autonomous vehicles will coexist for a while, the first networked autonomous vehicles will definitely support an "offline mode" that does not require peer interaction. Simply require that it be kept as a backup in case the network is down.

On top of that, if vehicles can be setup or started in offline mode then it should be fairly simple to stop a worm, mitigate DoS, etc.

We won't magically lose standalone autonomous driving capabilities just because networked vehicles are more efficient.

Re:What's Security?

[knorthern+knight]

4) The vehicle can be remotely disabled/shut-down by the dealer if you don't make your monthly payment on time.

5) The vehicle can be remotely disabled/shut-down by the police if they merely suspect that you might have been remotely connected to a crime. "Shutdown first, and ask questions later".

6) The vehicle can be remotely disabled/shut-down by criminals on the other side of the planet. who demand payment in Bitcoins to re-enable the car.

Actual technical info

Here's the original source, not a spammy blog, written in broken english:

https://www.pentestpartners.co...

There are no consequences for bad security

[schwit1]

Other than bad publicity.

The status quo will not change until CEOs are held criminally liable or terrorists(hackers) start crashing cars into each other.

It's SO easy!

Any idiot can do it.

Let me ask you this, have you watched the movie Hackers? Then you have all the skill you need!

Now all you have to do is stand around the vehicle for a 'relatively' short amount of time and perform an easy hack. Just wear a trench coat and fedora and no one will ever suspect you.

It's a wonder how these vehicles aren't disappearing daily!

All Cheer the Internet of Things!

Horray!

This is only going to get worse

[jonwil]

The EU has recently mandated that new cars need wireless technology so they can automatically dial emergency services in an accident. So now even more cars with have vulnerable wireless links to the outside world that could potentially be exploited by hackers.

Re:This is only going to get worse

[POPE+Mad+Mitch]

You are referring to the eCall system, it is mobile phone (GSM) based, and is meant to remain dormant until there is an accident, at which point it calls the emergency services and reports the location and a few other limited pieces of info. There are quite strict rules on data privacy and anti-tracking that go with it.