Researchers Hack the Mitsubishi Outlander SUV, Shut Off Alarm Remotely (helpnetsecurity.com) 58
Reader Orome1 writes: Mitsubishi Outlander, a popular hybrid SUV sold around the world, can be easily broken into by attackers exploiting security weaknesses in the setup that allows the car to be remotely controlled via an app. After discovering the SSID and the pre-shared key, they connected to a static IP address within a network's subnet, and this allowed them to sniff the Wi-Fi connection and send messages to the car. Through these messages they were able to turn the car's lights, air conditioning and heating on and off, change the charging programme and, most importantly, to disable the car's anti-theft alarm.
Re: (Score:1)
It has to do it that way, because it can't get up to 88 mph.
Re: (Score:2)
Have you read the DMCA? Security researching is explicitly exempt.
It was also not done in the USA, so I don't know what the DMCA has to do with it at all.
Re: (Score:2)
Tesla doesn't have the same engineering model. Most car manufacturers have internal cultures that prize these simple lightweight solutions because they need to design for incredibly low margins. They hire tons of EEs to write software who've never been formally trained in network security. They implement custom unproven protocols for EVERYTHING. Basically everything we've done to make the internet work they ignore and think they know better.
Re: (Score:3)
Yep. This is what happens when you make EEs design network stuff. Stuff like the CAN bus is incredibly open because it wasn't thought of as a network that needed 'security'. If our cars are going to have networks they need to hire people that take care of 'traditional network' security.
Re: (Score:2)
Yep.
I just can't WAIT for my more connected car...then, my fucking SELF driving car...yeah, nothing can go wrong there....
[rolls eyes] I supposed all these years of me physically driving and being responsible for for the cars behavior, good to throw that all out the window.
I as a human, can't really be hacked remotely like this (I keep my tin fo
You know some Terminator is going to exploit this (Score:1)
Pretty soon, poor John Connor will have Mitsubishi after Mitsubishi chasing him down.
Remotely control the car via. app (Score:1)
Who ever thought of this should get a Nobel Prize.
Re: Remotely control the car via. app (Score:1)
David Hasselhoff claims prior art!
Comment removed (Score:3)
Re: (Score:2)
Now I'm not a fan of IoT either but this has nothing to do with it. It's just a badly set up WLAN (with no internet access).
Mitsubishi still makes cars? (Score:2)
Re: (Score:2)
The last time I checked, Mitsubishi was at less than 0.6% of the U.S. market. Apparently Mitsubishi is a big enough corporation that low sales volume of their automobiles in the U.S doesn't matter much. The dealer claims they're not going anywhere.
If you're looking to buy a reasonably priced, turbo, AWD vehicle you don't have much choice between Subaru and Mitsubishi unless you're willing to spend twice as much.
Re: (Score:2)
If you're looking to buy a reasonably priced, turbo, AWD vehicle you don't have much choice between Subaru and Mitsubishi unless you're willing to spend twice as much.
There is certainly a segment of the market that values the Evo and the WRX STI. I am not of that segment and it goes beyond my disdain for whale tails on my back bumper.
To me, those cars answer a question I have never asked or felt a reason to ask. I have never found myself looking for a car with massive turbo lag, poor fuel economy, a back seat that nobody over 5'8" can sit in for more than 10 minutes, and a requirement for premium gas. Sure, they are fast with the turbo fully spooled up and runnin
Re: (Score:2)
Re: (Score:2)
quietly went under or were absorbed by Toyota.
Seriously? Mitsubishi is in mining, shipbuilding, telecom, financial services, insurance, electronics, automotive, construction, heavy industries, oil and gas, real estate, foods and beverages, chemicals, steel, aviation and others.
It's a Japanese Keiretsu [wikipedia.org], they are not "quietly going under" or being "absorbed by Toyota" any time soon.
Hmmm.. (Score:2)
I remember about 8 years ago, mentioning that the proposed smart cars the industry was crowing about would be a hacker's paradise, because of compounding costs of manufacture driving security based design out the window.
Seems I was right, despite all the loud objections I got that called me crazy. Fancy that. /shameless self promotion
Really, these recent reports of hackable cars all fail for the same reasons: The car's internal network is presumed secure, instead of presumed hostile. This ignores the pri
Re: (Score:3)
initially seeded at the factory with unique one time pads
Great way to increase the sales of genuine spare parts.
Wrecking yards won't be able to resell second-hand components.
Poor system design (Score:5, Interesting)
Every time I read about these, it strikes me that it all goes down to poor system design. The computers and functions dealing with the operation of the car need to be isolated from the entertainment systems, including WiFi, at least so far as inputs are concerned. Apps that allow the user to unlock the doors or start the engine, WiFi and OnStar systems that allow on-the-air updates of control software, these are all inherently insecure and always will be! They tie into systems that need to be air-gapped and only accessible via physical access to the car.
Security is almost always a trade off with utility or convenience. But auto makers have gone way too far, to the point of threatening public safety. These car computer systems need to be redesigned from the ground up with proper security practices and risk assessments in place.
Re: (Score:2)
The computers and functions dealing with the operation of the car need to be isolated from the entertainment systems, including WiFi, at least so far as inputs are concerned.
sadly, i think that's something that will need the force of law before they will start abiding by such basic security precautions.
Re: (Score:2)
You seem to be underestimating how useful these features are. Being able to turn on my engine and warm the car (read: melt the ice on the window so it's drivable) from my bed seems like a VERY useful feature.
Fuel must be nearly free where you live; have you any idea of how inefficient that is? (and non-green, even though I am not a green fan much myself)
I leave an old rug on the windsceen overnight, and a hot water bottle in the car directly under the windscreen while I am eating breakfast. Anyway, I would feel extremely uneasy about starting my car remotely, especially if I could not even see it. It amazes me that it is legally possible.
Re: (Score:2)
Anyway, I would feel extremely uneasy about starting my car remotely, especially if I could not even see it. It amazes me that it is legally possible.
I agree with the rest, but this I don't understand.
A remotely started car will still be in park, and it will remain locked. Now, the owner could unlock it from his basements and leave it running for hours, of course, but that would be rather stupid.
Re: (Score:2)
The thing is that so far they have used the wifi to access only the functions that the wifi system is meant to have access to, those functions are supposed to be limited to the owner so yeah theres a security issue there, a mitm attack it reads like.
but. It doesn't give access to anything terribly exciting, or dangerous. "oooh scary they can drain the drive battery" (by activating the pre-heater), it's a hybrid, it has a petrol engine, that battery drain could cost you whole pennies in extra fuel on your jo
No matter (Score:1)
No one wants to steal a Mitsubishi anyway.
Re: (Score:2)
if done RIGHT, internet connectivity of the network of devices inside the car has all kinds of benefits.
1) devices that control fuel efficiency can have their firmwares updated by the manufacturer OTA, improving the product without ever taking it to a dealership for service.
2) Anomalies in function can be solved through the same mechanism as 1 above.
3) The obvious: Map data, fine location sensing from know wifi hotspots nearby, cloud data services, and other directly user-facing capabilities.
The issue: The
Re: (Score:2)
Re: (Score:2)
What happens in 50 years when all cars drive them themselves, are networked and so done want to cripple our infrastructure.
That is simple enough. Require autonomous vehicles to be capable of navigating safely without network connectivity.
Since manually-driven vehicles and autonomous vehicles will coexist for a while, the first networked autonomous vehicles will definitely support an "offline mode" that does not require peer interaction. Simply require that it be kept as a backup in case the network is down.
On top of that, if vehicles can be setup or started in offline mode then it should be fairly simple to stop a worm, mitigat
Re: (Score:2)
1) devices that control fuel efficiency can have their firmwares updated by the manufacturer OTA, improving the product without ever taking it to a dealership for service.
2) Anomalies in function can be solved through the same mechanism as 1 above.
________
Because what I want is someone I don't know fooling around with the car I bought and own any time they want without me knowing it.
That sounds completely logical.
Re: (Score:2)
if done RIGHT, internet connectivity of the network of devices inside the car has all kinds of benefits.
1) devices that control fuel efficiency can have their firmwares updated by the manufacturer OTA, ... without ever taking it to a dealership for service.
Most people do take their car for a routine service anyway. Such updates cannot be that urgent.
2) Anomalies in function can be solved through [firmware updates]
No thanks. I have a Jeep Grand Cherokee and there were some rare cases of the transfer case (TC) putting itself into neutral while parked (the circumstances seemed dubious according to Jeep owners' forums). If the owner had not bothered to apply the handbrake also the car could roll away. Jeep's "solution" to absolve themselves was a software patch to fix the TC in High (ie normal road) ratio. This disab
Re: (Score:2)
4) The vehicle can be remotely disabled/shut-down by the dealer if you don't make your monthly payment on time.
5) The vehicle can be remotely disabled/shut-down by the police if they merely suspect that you might have been remotely connected to a crime. "Shutdown first, and ask questions later".
6) The vehicle can be remotely disabled/shut-down by criminals on the other side of the planet. who demand payment in Bitcoins to re-enable the car.
Actual technical info (Score:1)
Here's the original source, not a spammy blog, written in broken english:
https://www.pentestpartners.co... [pentestpartners.com]
There are no consequences for bad security (Score:3)
The status quo will not change until CEOs are held criminally liable or terrorists(hackers) start crashing cars into each other.
This is only going to get worse (Score:2)
The EU has recently mandated that new cars need wireless technology so they can automatically dial emergency services in an accident. So now even more cars with have vulnerable wireless links to the outside world that could potentially be exploited by hackers.
Re: (Score:2)
You are referring to the eCall system, it is mobile phone (GSM) based, and is meant to remain dormant until there is an accident, at which point it calls the emergency services and reports the location and a few other limited pieces of info. There are quite strict rules on data privacy and anti-tracking that go with it.