Mitsubishi says Outlander PHEV hack “a first”
Earlier this week a video hit the Web showing how a Mitsubishi Outlander PHEV could be hacked into via its smartphone app to access and control various functions.
IF YOU OWN a Mitsubishi Outlander PHEV then there’s no doubt this news might sound disturbing but it isn’t as bad as it might sound. But it does highlight some issues with how the Outlander PHEV’s smartphone app connects to the vehicle and, as Mitsubishi Australia’s communications boss, Shayna Welsh, told Practical Motoring “Mitsubishi Motors takes this matter very seriously and our company’s specialists will be deployed to better understand the issue”.
Before we get into the hacking itself and if you’re freaking out that every spotty geek within a few kilometres will be able to access your Outlander and start flashing its headlights, Welsh said “at this early stage and until further technical investigation, customers who are concerned about their vehicle should deactivate the WiFi using the ‘Cancel VIN Registration’ option on the app, or by using the remote app cancellation procedure”.
“Whilst obviously disturbing, from the reports this hacking only affects the car’s Smartphone app, therefore having limited effect to the vehicle (alarm, charging, heating). It should be noted that the hacking activity described has not affected the vehicle’s immobiliser and without the smart key control device, the car cannot be started and driven away,” Welsh told Practical Motoring.
So, just what was the hack? Well, the company that decided to hack into the Outlander PHEV is UK-based IT company Pen Test Partners, which stands for Penetration Testing and Security Services. The company is well known in the UK and regularly writes for BBC publications about backdoors it finds in everyday household items, like the Sony Bravia TV it hacked and could then listen in to a conversation taking place by said TV… creepy.
According to the post on its website, Pen Test Partners said its interest in the Outlander PHEV had been piqued when it noticed that its smartphone app connected “had an unusual method of connecting to the vehicle so we bought one to investigate”.
The difference between the Outlander PHEV and other vehicles, according to Pen Test Partners, is that instead of using a web-based service hosted by the car manufacturer which then connects to the vehicle using GSM and a module on the car; allowing access to it from anywhere in the world via mobile data…
“Instead of a GSM module, there is a Wi-Fi access point on the vehicle. In order to connect to the car functions, we have to disconnect from any other Wi-Fi networks and explicitly connect to the car AP. From there, we have control over various functions of the car.
“This has a massive disadvantage to the user in that we can only communicate with the car when in Wi-Fi range. I assume that it’s been designed like this to be much cheaper for Mitsubishi than a GSM / web service / mobile app based solution. There’s no GSM contract fees, no hosting fees, minimal development cost.”
It took the team at Pen Test Partners around four days to hack into the Outlander PHEV but (although they claim they could have done it quicker), once inside the machine claimed they could unlock it, order it to charge only on “premium rate” electricity, activate the climate control and turn on and off the headlights. However, and while this is indeed a serious breach, Mitsubishi and Pen Test Partners stated they couldn’t actually start the vehicle without the smart key and the engine immobiliser remained active throughout the security breach. That said, I’m sure it wouldn’t take them too long to clone a key… the company, in its blog, made mention of others who’d hacked BMWs and had been able to clone a key. A read between the lines threat? Maybe.
The upshot is that with more connectivity comes greater risk, although the company does suggest there are safer ways for smartphone apps to connect to vehicles. So, where it used to be a piece of wire or a brick through the window to break into someone’s car, now it’s a laptop and the Internet.
How configurable is the WiFi unit in the car for the end user? There are various ways of making WiFi more difficult to hack if it can be properly configured like a home WiFi unit can…which bega the question of how it compares to your average ISP supplied router when it comes to online security….
The limited range of the WiFi also means you have to be fairly close to the car to hack it….so is it even realistic that the vehicle could be hacked if you weren’t constantly in range of its access point for the required time frame?
Good question. I’ve no idea – Isaac