informa
/
Slideshow

An Inside Look At The Mitsubishi Outlander Hack

White hat hacker finds WiFi flaws in mobile app for popular auto; Mitsubishi working on fix.
Here’s what the Outlander mobile app controls
How Pen Test Partners turned off the alarm
Crafty hackers can potentially break into any car in a geographic region
There are two ways to disable the WiFi service
1/4

It all started a few months ago when a friend of penetration tester and self-styled industry maverick Ken Munro bought a Mitsubishi Outlander.

Munro, who works for U.K.-based penetration testers Pen Test Partners, says a red flag went off for him when he looked over the plug in hybrid electric vehicle (PHEV) and found that the mobile application communicates via WiFi.

“With other high-end cars like BMWs or Mercedes Benz’s the mobile app communicates over GSM or, in the U.S., LTE 4G,” he says. “GSM and LTE are broadly much harder to hack than WiFi.”

Not long after he first saw the Outlander, Munro went out and bought a new Outlander and ran a man in the middle attack over the WiFi communications. Sure enough, he was able to hack in and disable the anti-theft alarm.

“I know this can be upsetting but keep in mind that this field didn’t exist three years ago,” Munro explains. “So to be fair to the car companies, they are working to fix the various flaws we find.”

Munro spoke with Dark Reading this week, sharing some behind-the-scenes information on the Outlander hack and tips for what people who bought the cars can do to protect themselves until Mitsubishi issues a fix, which Munro says the carmaker intends to do.

The following slides give you an idea of how Munro exposed the vulnerability in the Outlander:

 
Next slide
Recommended Reading: