Over the years, vehicles have increased in their connectedness with endpoints intra- and inter-vehicle. This has taken the form of the vehicle communicating with itself (brakes and tire pressure for example) and with external sources for the radio, Onstar, internet, maps, and other useful apps. This has been a benefit to the consumer with the additional functionality and has improved drastically the vehicle user experience.
With the good also comes the bad. These improvements have been applied in a short-time frame. As these have been implemented in short order, certain corners had to be cut or at least folded in order to maintain the workflow and milestones in a timely manner. Unfortunately security has been one of these areas pushed aside at times with short-cuts (Pudwell, 2016). The effect of this has been evidenced by issues with breaches at the brakes, entire system, and ancillary services.
The effects have ranged from a nuisance to permanent issues involving the driving function. These unfortunately have become much more serious to the point where the federal regulators and FBI have clearly warned the automakers to improve and increase the security in the vehicle (Kieler, 2016). This so far has not occurred to a significant point as evidenced by the continued vehicle vulnerabilities that could have been avoided. The latest example of this involves the 2017 Mitsubishi Outlander PHEV.
With other pen testers not contracted to analyze the vehicle’s vulnerabilities, historically the methodology has been mixed. The first option was to not notify the manufacturer of the issue. The vehicle manufacturers would learn of the vulnerability with everyone else as this would be published in the wild. The manufacturers would then have to rush and push its engineering team to code a fix for the issue and push the patch over the air (OTA). This would be a bit sensational.
In an alternative choice, the manufacturer would be made aware through a third party, perhaps a bug bounty business operating as a third party. The pen tester/researcher would find the vulnerability and contact a third party, e.g. the EFF, and the third party would contact the manufacturer. This provided a shield and insulation from the manufacturer in case issues would ensue.
In a third instance, the researcher contacts the vehicle manufacturer regarding the vulnerability. The researcher, having done the responsible act, waits for the patch or some form of notification that the issue has been remediated. The patch is not pushed and the vulnerability would happen to not be fixed within a reasonable amount of time. The manufacturer may be contacted again. There may be still no patch or remediation completed. The researcher may then release the vulnerability into the wild. This avenue would be chosen due to the vulnerability being open and potentially hurting the consumer. To not release this would be irresponsible as this would allow further exposure to the consumer while nothing is being done or this project is not overly focused on.
With the subject issue, Mitsubishi was notified. Unfortunately, Mitsubishi did not respond immediately. It is notable that the manufacturer showed a distinct lack of interest in remediating the issue (MCT, 2016; Bryant, 2016). After waiting, the pen testers contacted the BBC, which then reported the problem. Mitsubishi was then interested in resolving the issue.
The vulnerable vehicle is the Mitsubishi 2017 Outlander PHEV (hybrid electric car) (Cluley, 2016). The vehicle is scheduled to be sold in 3Q2017 in the U.S. and Canada (MCT, 2016). This vehicle is for sale now in the UK and Australia (Chester, 2016). The issue and vulnerability with this vehicle was centered on the mode of communication. Generally vehicles use generally accepted methods, e.g. SMS (Gordon-Bloomfield, 2016) for the communications of various purposes. The engineers with the Outland elected to have the vehicle have its own wireless access point (WAP). This is an anomaly.
Methodology of the Breach
The vulnerability for the Outlander is focused on the access system or wifi (Ulrich, 2016). The vehicle was pentested by Pen Test partners (Cluley, 2016). Specifically, the vulnerability was due to the method the vehicle connected with its mobile app. With this vehicle, it was unusual that the vehicle would have its own WAP (Cook, 2016; Millman, 2016; Smith, 2016; Reisinger, 2016). This is used to connect to the owner’s app versus using the GSM. Most other vehicles use the web service hosted by the vehicle’s manufacturer or the provider of the service.
Another issue involved the pre-shared key used by the WAP. This is pre-shared key is different for each vehicle. In this case, the pre-shared key was written on a piece of paper located in the owner’s manual. The format for this likewise was not appropriate and too short (Smith, 2016). The pen testers, who had sniffed the traffic, cracked the code using a 4-GPU system. This process took less than four days to complete (Millman, 2016). This would not have taken as long if the pen testers would have used a cloud service. The ease of cracking this was due to poor implementation (Kieler, 2016). This cracking was done with a simple brute force attack. Once the attackers had captured an authentication attempt, the attackers were able to brute force the key (Ullrich, 2016). Once this was cracked, it was not difficult to break the messaging protocol (Cluley, 2016).
Mitsubishi also did not attempt to hide the IP address very well (Reisinger, 2016). This created a security issue that was significantly a problem. In addition, the manufacturer used the SSID which used the same template for the vehicles (Ullrich, 2016; Bryant, 2016; BBC, 2016) for the wi fi. The problem here is the format was not abundantly complex, as it was REMOTE nnaa (Smith, 2016). This attack, when successful, allowed the vehicle to be tracked (Ullrich, 2016), unlock the car (MCT, 2016; Bryant, 2016), to turn off the alarm (Ullrich, 2016; Cook, 2016; Charlton, 2016; Bryant, 2016; Kieler, 2016), and turn on the vehicle’s lights, heating and air conditioning (Kieler, 2016).
These attacks certainly, for the user, have the potential to be significantly annoying. The reach of these however is much deeper and potentially nefarious. The end effects, with an attack vector in a motivated deviant’s hands, are much greater and expansive than a simple nuisance. The vehicle’s battery could be drained. The attacker could turn on the air conditioning or heat, or turn these on and off alternatively. With the electric car, this activity would pull charge from the battery, draining it (Cook, 2016). The attacker could turn the heat on full in mid-August just after the owner was to go into the office building. The battery would be drained and the owner would be stranded.
The attack could unlock the car remotely. The vehicle owner could go to a professional baseball game. The car would need to be parked in a ramp or a flat lot for hours. After the first inning of the game, the attacker could unlock the vehicle and steal the contents and/or the vehicle without the owner knowing it until the game was over and the owner returned to the car.
The attacker could geographically locate the vehicle. The vehicle may be followed to the owner’s workplace, home, or vacation spot. The attacker would presumptively know where the owner is located, which is away from the home. The attacker could access the home, notwithstanding an alarm on the home, without the owner there to interrupt the liberation of their assets.
On a tangent, what makes this lack of security interesting is the secondary level of the attack. Once the vehicle is unlocked, the attacker clearly has access to the personal items left in the car. At this point, the attacker also has access to the OBD-II port (Bryant, 2016; MCT, 2016; Smith, 2016; Zorz, 2016). This is the port that generally is used for diagnostic work. This opens a whole new realm of attack opportunities.
Initially, Mitsubishi was not very interested in resolving the issue. Eventually, the message was their engineers were working on this. The owners were recommended, at the time, by Mitsubishi to unpair any devices connected to the vehicle’s wi-fi or WAP (Bryant, 2016; MCT, 2016; Reisinger, 2016; Smith, 2016).
There are a number of info sec measures that could be implemented in order to minimize making the same errors repeatedly or making significant oversights creating new problems. The security function should be standardized. There should be a checklist of items (e.g. applications, secure communication channels, endpoints, level of security, etc.) to check. The connectiveness should be verified in and out of the vehicle. There are security features already implemented with the vehicle. At times these are implemented but not verified after this. In theory this should be fine and workable. In practice, these are put into the vehicle and not checked afterwards. The code placed into the vehicle may not be the production code. This could create a significant problem.
There are many other avenues to security that should be implemented. Adopting the info sec aspect will take time and efforts to alter the thinking process. This however is a worthwhile endeavor.
BBC. (2016, June 6). Mitsubishi outlander hybrid car alarm ‘hacked’. Retrieved from http://www.bbc.com/news/technology-3644586
Bryant, B. (2016, June 6). Researchers wirelessly hack Mitsubishi outlander hybrid SUV, turn off anti-theft alarm. Retrieved from http://popherald.com/2016/06/06/researchers-wirelessly-hack-mitsubhishi-outlander-hybrid-suv.html
Charlton, A. (2016, June 6). ‘Shocking’ lack of security means hackers can disable Mitsubishi outlander alarm. Retrieved from http://www.ibtimes.co.uk/shocking-lack-security-means-hackers-can-disable-mitsubishi-outlander-alarm-1563852
Chester, R. (2016, June 7). Security experts hack Mitsubishi outlander through a flaw in wi-fi app. Retrieved from http://www.news.com/au/technology/security-experts-hack-mitsubishi-outlander-through-a-flaw-in-wifi-app/news-story/2dd2280dbc2fa1ea57678fee24b8d0a
Cluley, G. (2016, June 7). Lax security means hackers could steal your Mitsubishi outlander. Retrieved from http://www.hotforsecurity.com/blog/ax-security-means-hackers-could-steal-your-mitsubishi-outlander-14081.html
Cook, J. (2016, June). Researchers figured out how to hack into Mitsubishi car and turn off the alarm. Retrieved from http://www.businessinsider.com/pen-test-partners-hack-into-mitsubishi-outlander-turn-off-the-alarm-drain-battery-2016-6
Gordon-Bloomfield, N. (2016, June 6). Mitsubishi outlander plug-in hybrid has security flaw that means hackers can locate, unlock, steal your car. Retrieved https://transportevolved.com/2016/06/06/mitsubishi-outlander-plug-in-hybrid-has-security-flaw-that-means-hackers-can-locate-unlock-steal-your-car/
Kieler, A. (2016, June 6). Vulnerability leaves Mitsubishi outlander’s wifi open to hacks. Retrieved from https://consumerist.com/2016/06/06/vulnerability-leaves-mitsubishi-outlanders-wifi-open-to-hacks/
MCT. (2016, June 8). Security firm hacks Mitsubishi outlander via in-car wifi. Retrieved from http://www.afr.com/technology/web/security/security-firm-hacks-mitsubishi-outlander-via-incar-wifi-20160607-gpdyu9
Millman, R. (2016, June 6). Wireless hack could result in mitsubishi cars being stolen. Retrieved from http://scmagazineuk.com/wireless-hack-could-result-in-mitsubishi-cars-being-stolen/article/501046/
Pudwell, S. (2016, June 6). Mitsubishi outlander hack: Industry reaction. Retrieved from http://www.itportal.com/2016/06/06/mitsubishi-outlander-hack-industry-reaction
Reisinger, D. (2016, June 6). Researchers uncover Mitsubishi outlander wi-fi bug. Retrieved from http://www.pcmag.com/news/345014/researchers-uncover-mitsubishi-outlander-wi-fi-bug
Smith. (2016, June 6). Researchers wirelessly hack Mitsubishi outlander hybrid SUV, turn off anti-theft alarm. Retrieved from http://www.networkworld.com/article/3079745/security/researchers-wirelessly-hack-mitsubishi-outlander-hybrid-suv-turn-off-anti-theft-alarm.html
Ullrich, J. (Producer). (2016, June 7). SANS internet storm center daily security and information security podcast [Audio Podcast]. Retrieved from https://isc.sans.edu/podcast.html
Zorz, Z. (2016, June 6). Researchers hack the Mitsubishi outlander SUV, shut off alarm remotely. Retrieved from https://www.helpnetsecurity.com/2016/06/06/researchers-hack-mitsubishi-outlander/
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!