Researchers Hack the Mitsubishi Outlander SUV, Shut Off Alarm Remotely

Reader Orome1 writes: Mitsubishi Outlander, a popular hybrid SUV sold around the world, can be easily broken into by attackers exploiting security weaknesses in the setup that allows the car to be remotely controlled via an app. After discovering the SSID and the pre-shared key, they connected to a static IP address within a network's subnet, and this allowed them to sniff the Wi-Fi connection and send messages to the car. Through these messages they were able to turn the car's lights, air conditioning and heating on and off, change the charging programme and, most importantly, to disable the car's anti-theft alarm.

Poor system design

[bobdehnhardt]

Every time I read about these, it strikes me that it all goes down to poor system design. The computers and functions dealing with the operation of the car need to be isolated from the entertainment systems, including WiFi, at least so far as inputs are concerned. Apps that allow the user to unlock the doors or start the engine, WiFi and OnStar systems that allow on-the-air updates of control software, these are all inherently insecure and always will be! They tie into systems that need to be air-gapped and only accessible via physical access to the car.

Security is almost always a trade off with utility or convenience. But auto makers have gone way too far, to the point of threatening public safety. These car computer systems need to be redesigned from the ground up with proper security practices and risk assessments in place.