Mitsubishi hack shows why current connected car security just isn’t up to it
Another day, another story of car hacking and general skulduggery. First we had Jeep, then it was Corvette, and now, after several others, it is the turn of Mitsubishi.
Research from Pen Test Partners found a high number of security vulnerabilities in the Mitsubishi Outlander PHEV; in the words of Ken Munro, of Pen Test Partners, some of which were funny, others were potentially dangerous.
The methods of connecting the mobile app to the car were particularly alarming; instead of using GSM, the PHEV uses Wi-Fi. This may work on paper – although only being reactive within Wi-Fi signal range puts the user at a disadvantage – yet Pen Test Partners found that they could crack the pre-shared key (PSK) within four days and obtain the SSID. The result was that the hackers could mess around with various parts of the car, including the lights, the charging programme and the air conditioning, as well as disabling the theft alarm.
“This is shocking and should not be possible,” the researchers wrote.
Perhaps most disturbingly, Mitsubishi replied with complete indifference to the private disclosure from Pen Test Partners, until the security firm went public. Pen Test insisted the Japanese automotive firm are “taking the issue very seriously at the highest levels.”
So what does this mean for the industry? Daniel Thunberg, global head of Internet of Things at platform security firm Irdeto, is in no doubt that the industry is not keeping up with bad actors. “What struck me while reading the report was the vulnerability that allows access to the in-vehicle infotainment system from the Wi-Fi module,” Thunberg said. “Not only do these hacks impact consumer safety, but access to the IVI unit also gives hackers the ability to steal personal consumer data.
“Last year’s Jeep hack was just the beginning and this Mitsubishi hack is just the latest example of weak security that needs to be addressed in connected cars to keep drivers safe behind the wheel,” he added.
According to Pen Test Partners, any fix by Mitsubishi would be expected to take some time in the form of a firmware upgrade as opposed to anything over the air. Short term, all mobile devices should be unpaired to users’ car access points, the researchers argue, although long term Mitsubishi’s “rather odd” Wi-Fi access point needs to be completely re-engineered. “Words like ‘recall’ spring to mind,” the researchers drily note.
You can read the blog post here.