Poorly configured WiFi security access to blame for allowing testers to access the car’s systems
The UK research firm Pen Test Partners announced this weekend that they had successfully hacked into the Mitsubishi Outlander hybrid via WiFi. The firm was able to do this after discovering that the car’s won WiFi would appear on their mobile phones among the list of available networks.
“First, we replayed various messages from the mobile app. After figuring out the binary protocol used for messaging, we could successfully turn the lights on and off,” security expert Ken Munro said. “Next, we messed around with the charging programme, from which we could force the car to charge up on premium rate electricity. We could also turn the air conditioning or heating on/off to order, draining the battery.”
But then they discovered that they could disable the car’s alarm, then unlock the car.
“In the case of the reported Mitsubishi alarm system hack, the failures of poorly configured WiFi security access has occurred in other high profile cases in the past couple of years,” Mark Skilton, a Professor of Practice in the Information Systems & Management Group at Warwick Business School. “They include the hacking of the inflight entertainment system in 2015 by security researchers on a United Airlines flight, to hacking nearly 100 networked traffic lights in Michigan by another security researcher with a laptop in 2014, enabling the changing of light commands at will.”
“These are not a failure of the system itself. All these hacks exploited poor design of the systems’ security design. In all these cases the entry point has been compromised and it allowed the hacker to gain access to other systems on board that could include and threaten human safety,” Skilton said.