A Closer Look at the Recently Exposed Mitsubishi Outlander Hack

A white hat hacker identifies another security flaw in automotive design.

Dashboard ImageImagine this scenario: You just bought a new car, and you can’t wait to show it off to your friends. One of those friends happens to be a penetration tester for a security firm. While admiring your vehicle, he happens to notice an oddity in the design that throws up a red flag. After further testing, he discovers that your brand new vehicle possesses a critical vulnerability.It’s not a tall tale. It’s what happened when Ken Munro, a security industry maverick working for the UK-based Pen Test Partners, examined a friend’s new Mitsubishi Outlander and discovered the hybrid vehicle’s mobile application communicates via WiFi. According to Munro in an interview with Dark Reading, most luxury vehicles boast mobile applications that communicate over GSM or LTE 4G, both of which are decidedly more difficult to hack.

After purchasing a new Mitsubishi Outlander for testing, Munro was able to successfully execute a man-in-the-middle attack over WiFi and easily disable the vehicle’s anti-theft alarm. “I know this can be upsetting,” he said. “But keep in mind that this field didn’t exist three years ago. So to be fair to the car companies, they are working to fix the various flaws we find.”

Munro explained how he discovered the Outlander WIFI vulnerability and its related risks. First, after cracking the WiFi key, Munro’s colleague was able to write a script that remotely turned off the car’s theft alarm. It was as simple as telling the system “alarmoff.” Munro also discovered that the Outlander could be located anywhere by “war drivers,” hackers who drive around to scan for wireless access points. Someone in range of the car could “sniff out” the connection, save that data, and then crack the WiFi key at any time.

Mitsubishi Outlander owners can protect themselves by going into the mobile app and selecting the option to “cancel VIN registration.” While it’s an inconvenience not to have WiFi service, it makes sense to disable it until Mitsubishi issues a fix for this vulnerability. The Mitsubishi website also outlines a three-step process for disabling the wireless service.

You may remember last year we reported on a similar vulnerability with Fiat Chrysler. Let this serve as a reminder that as vehicles become part of our networked world, they too are becoming targets for criminal activity – and you may not be as secure as you think.

Experience Dynamic Endpoint Modeling on Your Own Network

Getting better visibility into your network and improving your security couldn’t be easier. Sign up for a free, no-risk trial of Observable’s Endpoint Modeling solution, and change the way you see security.