Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Hack the Mitsubishi Outlander SUV, Shut Off Alarm Remotely (helpnetsecurity.com)

Posted by msmash on from the growing dept.

Reader Orome1 writes: Mitsubishi Outlander, a popular hybrid SUV sold around the world, can be easily broken into by attackers exploiting security weaknesses in the setup that allows the car to be remotely controlled via an app. After discovering the SSID and the pre-shared key, they connected to a static IP address within a network's subnet, and this allowed them to sniff the Wi-Fi connection and send messages to the car. Through these messages they were able to turn the car's lights, air conditioning and heating on and off, change the charging programme and, most importantly, to disable the car's anti-theft alarm.

5 of 58 comments (clear)

  1. IOT = Internet of Troubles by scsirob · · Score: 2

    In their effort to make things ever easier for consumers, and to improve time-to-market, manufacturers skip the most basic security best practices.
    This will kill the IOT market in general. Ever more gadgets with ever weaker security.

    --
    To Terminate, or not to Terminate, that's the question - SCSIROB
  2. Poor system design by bobdehnhardt · · Score: 5, Interesting

    Every time I read about these, it strikes me that it all goes down to poor system design. The computers and functions dealing with the operation of the car need to be isolated from the entertainment systems, including WiFi, at least so far as inputs are concerned. Apps that allow the user to unlock the doors or start the engine, WiFi and OnStar systems that allow on-the-air updates of control software, these are all inherently insecure and always will be! They tie into systems that need to be air-gapped and only accessible via physical access to the car.

    Security is almost always a trade off with utility or convenience. But auto makers have gone way too far, to the point of threatening public safety. These car computer systems need to be redesigned from the ground up with proper security practices and risk assessments in place.

  3. There are no consequences for bad security by schwit1 · · Score: 2
    Other than bad publicity.

    The status quo will not change until CEOs are held criminally liable or terrorists(hackers) start crashing cars into each other.

  4. Re:Hmmm.. by viperidaenz · · Score: 2

    initially seeded at the factory with unique one time pads

    Great way to increase the sales of genuine spare parts.
    Wrecking yards won't be able to resell second-hand components.

  5. Re:Surprise surprise by 0100010001010011 · · Score: 2

    Yep. This is what happens when you make EEs design network stuff. Stuff like the CAN bus is incredibly open because it wasn't thought of as a network that needed 'security'. If our cars are going to have networks they need to hire people that take care of 'traditional network' security.