Hacking the Mitsubishi Outlander PHEV hybrid
By Ken Munro, Senior Partner, Pen Test Partners
June 6, 2016
The Mitsubishi Outlander plug in hybrid electric vehicle (PHEV) is a big-selling family hybrid SUV. It has an electric range of up to 30 miles or so plus petrol range of another 250ish miles. We noticed that the mobile app had an unusual method of connecting to the vehicle so we bought one to investigate.
What we found
What’s really unusual is the method of connecting the mobile app to the car. Most remote control apps for locating the car, flashing the headlights, locking it remotely etc. work using a web service. The web service is hosted by the car manufacturer or their service provider. This then connects to the vehicle using GSM to a module on the car. As a result, one can communicate with the vehicle over mobile data from virtually anywhere.
Different, but not better
The Outlander PHEV does it differently. Instead of a GSM module, there is a Wi-Fi access point on the vehicle. In order to connect to the car functions, we have to disconnect from any other Wi-Fi networks and explicitly connect to the car AP. From there, we have control over various functions of the car.
This has a massive disadvantage to the user in that we can only communicate with the car when in Wi-Fi range. I assume that it’s been designed like this to be much cheaper for Mitsubishi than a GSM / web service / mobile app based solution. There’s no GSM contract fees, no hosting fees, minimal development cost.
Unfortunately, we found that this system had not been implemented securely.
PSK, SSID and geolocation worries
The Wi-Fi pre shared key is written on a piece of paper included in the owners’ manual. The format is too simple and too short. We cracked it on a 4 x GPU cracking rig at less than 4 days. A much faster crack could be achieved with a cloud hosted service, or by buying more GPUs.
Capturing the handshake was more of a challenge, as the mobile device would have to be connected to the car at the time. We realised that the car was most likely to be parked at the owner’s house, where their mobile device would also be. By de-authing the mobile from the home Wi-Fi router continuously, there was a fair chance of it then connecting to the nearby car, at which point the handshake could be captured.
The access point has a unique SSID fortunately. It is of the format: [REMOTEnnaaaa] where ‘n’ are numbers and ‘a’ are lower case letters.
This means that you can search wigle.net and easily geolocate Outlander PHEVs. Here are a few in the UK, including some spotted whilst driving and others parked at the owner’s house:
A thief or hacker can therefore easily locate a car that is of interest to them.
It is possible to change the SSID, though not the PSK. It is possible to deactivate the AP. We will come to that later.
So, we know the SSID and have the PSK. What next?
Exploring the subnet showed a service on 192.168.8.46:8080. The IP address was static and identical across all cars that we looked at. Connecting to it showed the following:
So then we started a man in the middle and sniffed the Wi-Fi connection. This is where it got interesting!
First, we replayed various messages from the mobile app. After figuring out the binary protocol used for messaging, we could successfully turn the lights on and off.
Next, we messed around with the charging programme, from which we could force the car to charge up on premium rate electricity.
We could also turn the air conditioning or heating on/off to order, draining the battery. This is remarkably similar to the Nissan Leaf hack, though the next part is far worse than that.
Finally, we disabled the theft alarm. Yes, seriously
This took a bit of proving, as we didn’t want to have to break a window to make the point.
So, we sat inside the car whilst being very still and locked it. Then, waving my arms around, it was clear that the alarm was off.
I could then unlock the car using the handle on the inside of the door, without the alarm going sounding.
This is shocking and should not be possible.
Once unlocked, there is potential for many more attacks. The on board diagnostics port is accessible once the door is unlocked. Whilst we haven’t looked in detail at this, you may recall from a hack of some BMW vehicles which suggested that the OBD port could be used to code new keys for the car.
We also haven’t looked at connections between the Wi-Fi module and the Wi-Fi module and the Controller Area Network (CAN). There is certainly access to the infotainment system from the Wi-Fi module. Whether this extends to the CAN is something we need more time to investigate.
Short term fix
Unpair all mobile devices that have been connected to the car access point.
First, go to the car and connect your mobile phone to the access point on the car. Then, using the app, go to ‘Settings’ and select ‘Cancel VIN Registration’:
Once all paired devices are unpaired, the Wi-Fi module will effectively go to sleep. It cannot be powered up again until the car key remote is pressed ten times. A nice security feature.
This has the side effect of rendering the mobile app useless, but at least it fixes the security problem.
Medium term fix
The app has the ability to push new firmware to the Wi-Fi module. New firmware should be deployed urgently to fix this problem properly, so the mobile app can still be used.
Long term fix
Mitsubishi need to re-engineer the rather odd Wi-Fi AP – client connection method completely. A GSM module/web service method rather more like BMW Connected Drive would be much better long term. Words like ‘recall’ spring to mind.
Initial attempts by us to disclose privately to Mitsubishi were greeted with disinterest. We were a bit stumped at this point: As so often happens, the vendor takes no interest and public disclosure becomes an ethical dilemma.
So, we involved the BBC who helped us get their attention. Mitsubishi have since been very responsive to us! They are taking the issue very seriously at the highest levels.
A medium term fix is being worked on now.
We aren’t disclosing the exact binary message to disable the alarm at this point. We will, in a week or so, once owners have had a chance to disable the APs on their cars.
That said, it didn’t take much to figure it out!