A few basic hacks can let the common man gain access to an advanced SUV by hacking a Wi-Fi password.
Computer security experts in the UK have discovered, and subsequently, exploited a weakness in the Mitsubishi Outlander PHEV that opens its to manipulation by a possibly malicious third party.
A very informative video by Pen Test Partners details the low fence in the car’s security barrier, showing us how relatively easy it is to gain access to an over-$50,000 SUV, with just the aid of a wirelessly-capable computer.
The exploit involves a Wi-Fi access point that is built into the car, one that allows it to communicate with the companion smartphone app to enable remote features such as locking/unlocking, turning on lights, starting the car up, pre-cooling or pre-heating the cabin, schedule charging times, etc.
Forgive us any mistakes in our summarising of the technical details, but it seems that most other cars with similar remote access functions would send the command from the smartphone to the internet (to a manufacturer-owned server bank, most likely), and then from the internet to the car itself, allowing end-to-end encryption of the command that is much harder to crack. Basically, the internet is the middleman and that’s a good thing.
In the case of the Outlander PHEV, however, the command is sent directly to the car if it is nearby and within range of the car’s wireless access point. This means that the encryption and decryption happens locally, leaving it open to a ‘man-in-the-middle attack’.
This would allow a person with malicious intent to, with the right knowledge, quite easily decrypt the car’s security key (ie Password, as a PSK), exactly like the one you’d use on your home Wi-Fi network – and Wi-Fi network security are quite routinely broken. But the difference is that instead piggybacking your internet plan, someone would have taken the first significant step to controlling your car.
Worrying.
Cars are getting more and more connected with each iteration, with manufacturers claiming a different take on arguably identical solutions by branding it with a snazzy name. Even so, detractors have criticised the automotive industry in general for lagging behind the times when it comes to in-car technology that is actually a meaningfully convenient addition as opposed to just a surface level gimmick.
But with progress comes these kinds of vulnerabilities, and typically automakers have a history of not being the most adept at devising the safest barriers to protect these features from attacks such as this. With the stakes this high, not only in terms of possibly compromising an expensive vehicle but also the lives in it, this is a reminder that connected convenience should only come with a rigorous focus security.
