SAN FRANCISCO — A British security firm has successfully hacked into a Mitsubishi OutlanderPlug-In Hybrid, rekindling the debate over automobile vulnerability in an age where cars increasingly are reliant on their computers.
Pen Test Partners purchased a 2017 Outlander PHEV, which is expected to go on sale in the U.S. this fall, with the express purpose of seeing whether the SUV’s unique mobile app set-up might also provide an easy way into its on-board computer. The organization announced Monday it had been able to breach the vehicle’s alarm system and turn it off.
“Once unlocked, there is potential for many more attacks,” read a report on the Pen Test Partners site. “The on-board diagnostics port is accessible once the door is unlocked.”
Mitsubishi is advising customers who own this Outlander to temporarily disable the car’s WiFi and decouple the app from the car. The company is working on new firmware that will be pushed to the app.
As in-car tech becomes increasingly sophisticated — with its ultimate iteration being the self-driving car — some systems have proven to be less than secure.
Among cars hacked by professionals in order to show their weaknesses are Chrysler’s 2014 Jeep Cherokee, the Tesla Model S and the Nissan Leaf. The Jeep’s hack by two security experts led to 1.4 million cars being recalled for a software update last year.
The issue has gotten the attention of both the FBI and the National Highway Traffic Safety Administration, which issued warnings in March that automakers needed to keep a close watch on the security of their in-car systems.
“The analysis demonstrated the researchers could gain significant control over vehicle functions remotely by exploiting wireless communications vulnerabilities,” read the FBI’s warning, adding that “consumers and manufacturers are aware of the possible threats and how an attacker may seek to remotely exploit vulnerabilities in the future.”
Most car companies that provide customers with apps that allow access to a range of functions — from unlocking car doors to remotely starting the engine — do so with applications that communicate first with the cloud and then with the vehicle’s onboard relay point. This method provides security through a robust cloud-based network.
In contrast, Mitsubishi’s app talks to the individual car it is paired with, which requires the owner to be within WiFi range of the car and allowed for the access-point vulnerability that was exploited by Pen Test Partners.
“This illustrates two critical issues of the ’system of systems,’ firstly to isolate access points to devices and systems that are used by the public as much as you would with secure private systems such as bank accounts or personal medical records,” says cyber security expert Mark Skilton of Warwick Business School.
“Secondly, the lack of an audit and professional checking of these systems by manufacturers is more an issue of corporate incompetence when basic mistakes such as poor WiFi set-up and a lack of resilience in encryption procedures have not been followed,” he says.
The British security website noted in a post that at first Mitsubishi did not respond to its inquiries about the model’s issue.
“Initial attempts by us to disclose privately to Mitsubishi were greeted with disinterest. We were a bit stumped at this point: As so often happens, the vendor takes no interest and public disclosure becomes an ethical dilemma,” the post notes.
Only after approaching the BBC, which first reported the breach, did Pen Test Partners get the Japanese automaker’s attention, “and since then they have been very responsive to us! (and) are taking the issue very seriously at the highest levels.”