Mitsubishi asked to recall 100,000 Outlanders over security breach
07 Jun 2016
A team of security researchers has asked Mitsubishi to recall at least 100,000 Outlander hybrid cars in which it had identified a security breach that allowed the hackers to remotely turn off the car's alarm system, control the lights and drain the battery.
The team leader Ken Munro was told about the vulnerability when his friend's Outlander showed up as a wifi access point on his phone. To investigate the issue, he bought the car himself and set about hacking it.
Modern cars with their own smartphone apps offered a way of monitoring features such as battery level and alarm status, and usually connected through a web-based service over GSM, a mobile data communication channel.
The Outlander, however, used wifi to connect the car directly with a smartphone, which was less secure and allowed Munro to disable the alarm and then open the car.
According to Munro the car's insecure software system was probably a result of cost-cutting by Mitsubishi. ''I assume that it's been designed like this to be much cheaper for Mitsubishi than [the more secure] GSM/web service/mobile app based solution,'' wrote Munro.
''There's no GSM contract fees, no hosting fees, minimal development cost. This has a massive disadvantage to the user.''
The Mitsubishi Outlander plug-in hybrid electric vehicle (PHEV) is a top-selling family hybrid SUV, with over 100,000 of them being sold worldwide, and around 22,000 of those in the UK alone.
A piece of paper included in the owners' manual displays the Wi-Fi pre-shared key.
According to commentators the format was too simple and too short, and using brute force hacking techniques, the team cracked the keys within four days.
Commentators point out that, with a more powerful rig or a cloud-based system it could be possible to drastically reduce the time it taken to recover these crypto keys.