Security researchers with Pen Test Partners have discovered a flaw that would allow a cyber attacker to remotely control Mitsubishi’s Outlander plug-in hybrid electric vehicle (PHEV).
As explained on their blog, Mitsubishi has employed an unusual method to connect the vehicle to its mobile app. Instead of connecting to the car via a cloud-based server, the Outlander relies on Wi-Fi for connectivity. Aside from severely limiting the effective range in which you can use the app to connect to the vehicle, the Wi-Fi method also presents a number of security-related issues.
For starters, the Wi-Fi key for the vehicle’s access point is written on a piece of paper in the owner’s manual which typically gets stored in the glove box. Even more worrisome is the fact that the researchers were able to crack the key using a 4x GPU cracking rig in less than four days. Utilizing a cloud service could greatly reduce the amount of time needed.
By using a man in the middle attack, the team was able to turn the vehicle’s lights on and off, adjust the vehicle’s charging rate and even turn the air conditioning and heat on or off. Worse yet, they were able to disable the vehicle’s alarm system remotely.
Pen Test Partners recommends unpairing all mobile devices connected to the car’s access point. Once all devices are unpaired, the Wi-Fi module will put itself into sleep mode and can only be woken up by pressing the car key remote 10 times.
The firm said Mitsubishi was uninterested in what they had to say initially but once the BBC got involved, they changed their tune. A medium-term fix is now in the works, we’re told.