What should we make of the Mitsubishi Outlander hybrid hack?

Over the past few days, the motoring community has been abuzz with news that a team of hackers managed to wirelessly hack a Mitsubishi Outlander, taking control of its electric charging and alarm systems.

While this is far from the first time a car has been remotely hacked, it has raised fresh fears about just how easy it is to break into contemporary vehicles.

But just how worried should we be?

How it’s done

Before delving deeper into that question, it’s worth taking a look at where the security flaw lies. As demonstrated by security researcher Ken Munro, the major issue is Mitsubishi’s mobile app. The app, which allows you to set charging times, turn on the lights, air conditioning, and turn off alarms, connects to a wireless access point in the car.

While accessing the app requires an SSID and a password, anyone who’s ever had their home network hacked will tell you that’s not exactly the most sophisticated form of security out there.

Munro was able to crack the Outlander Hybrid within four days using brute force attacks, but believes that someone using stronger equipment could have done it within 24 hours.

“If I was a thief and I fancied your car, first of all because it’s a WiFi device I would geo-locate it using resources like Wiggle,” said Munro. “I [would then] find your car, crack your Wi-Fi key, send the code required to disable the alarm from a laptop or a hacked mobile device, jimmy the door or smash your window, unlock your door, then access the IDB port inside, and I’ve potentially got your car.”

The trouble with WiFi

While Munro’s attack took some time, the reason it could be done so simply is because of the inherent vulnerabilities in WiFi systems.

“In the case of the reported Mitsubishi alarm system hack, the failures of poorly configured WiFi security access has occurred in other high profile cases in the past couple of years,” says Professor of Practice in the Information Systems & Management Group at Warwick University Mark Skilton. “They include the hacking of the inflight entertainment system in 2015 by security researchers on a United Airlines flight, to hacking nearly 100 networked traffic lights in Michigan by another security researcher with a laptop in 2014, enabling the changing of light commands at will”.

As Skilton notes, these hacks aren’t down the systems. The problem instead lies with the point of entry.

“These are not a failure of the system itself. All these hacks exploited poor design of the systems’ security design,” says Skilton. “In all these cases the entry point has been compromised and it allowed the hacker to gain access to other systems on board that could include and threaten human safety”.

This, he says, “illustrates two critical issues of the ‘system of systems’; firstly to isolate access points to devices and systems that are used by the public as much as you would with secure private systems such as bank accounts or personal medical records. If professional researchers are finding this then equally hackers will also find these weaknesses”.

“Secondly, the lack of an audit and professional checking of these systems by manufacturers is more an issue of corporate incompetence when basic mistakes such as poor WiFi set-up and a lack of resilience in encryption procedures have not been followed.

As Skilton notes, this has major implications for the increasingly connected future of cars.

“Cars are increasingly having on-board connectivity to the internet beyond just entertainment and to the operation of the car itself,” says Skilton. “But, while access to email and websites is one thing, access to mission critical systems in any situation – be it a building, operating theatre or transport vehicle – is a whole different set of risk and security issues.”

But those mission-critical functions are increasingly going to be controlled by apps. Volvo, for instance, wants all its cars to be completely keyless by 2017.

Those kinds of advances suggest that these kind of demonstrative hacks aren’t going to be limited to just a few a year, but will become increasingly common. Hopefully the manufacturers are paying attention.