Ken Munro was in his car when he noticed a Wi-Fi access point from a friend’s nearby Outlander. When Munro asked about it his friend explained how the system worked and what he could do with it from his cell phone. Munro tried the app and quickly found a troublesome vulnerability. So he got out of the app immediately.
What Munro did next isn’t what you would likely do, but he promptly bought an Outlander and took it to his company to check out the problem. What may seem like an overly cautious (not to mention expensive) reaction to a Wi-Fi weakness resulted in the manufacturer acknowledging the potential problem and recommending owners stop using Wi-Fi by de-registering their access points.
The issue Munro found was that remote commands sent to the Outlander go directly to the car’s access point, not through a third-party web server, which is the practice with most carmakers. Second, the access point name was distinct and could easily end up on websites that collect and display nearby access points. Munro and his colleagues used unnamed but “well-known techniques that let the researchers interpose themselves between car and owner and watch data as it flowed between the two.”
With access to the car’s system, anyone could flash the lights, drain the battery, and change other settings. The most disturbing finding, however, was the ability to disable the car’s alarm system. This could give thieves a chance to break in to steal the car’s contents, components, and possibly even the car itself.
Related: Driverless cars could be used for assassination, says Attorney General
“This hacking,” Mitsubishi acknowledged in a statement released to BBC News, “is a first for us as no other has been reported anywhere else in the world.” Mitsubishi recommended owners cancel the access point VIN registration via the smartphone app or with the car’s remote.
If you own a Mitsubishi Outlander Hybrid, there are three steps to be followed in order to delete the VIN registration. First, turn on the hazard lights. Second, within 30 seconds, and with the doors closed, press the Lock/Unlock button on the remote 10 times. That will put you in registration delete mode. Wait for the beeping to stop — if the system is registered there will be one beep with an additional beep for each device registered with the access point, so just wait. Then, within 5 minutes, and again with the doors closed and using the car remote, press the Lock/Unlock button 20 times. Those steps will de-register your car’s Wi-Fi system. Then wait until you get word that it’s OK to register it again after Mitsubishi figures out a solution.
This hasn’t been a great year for Mitsubishi with its admission of fuel economy test cheating and resulting slower sales. Hopefully, the company can resolve the Wi-Fi security issue quickly.
