back to article Wi-Fi hack disables Mitsubishi Outlander's theft alarm – white hats

Security weaknesses in the set-up of Mitsubishi Outlander leave the hybrid car exposed to hack attacks – including the potential for crooks to disable theft alarms. The Mitsubishi Outlander plug-in hybrid electric vehicle (PHEV) is a top-selling family hybrid SUV. More than 100,000 of them have been sold worldwide, around 22, …

  1. Pascal Monett Silver badge

    Yay, Yet Another Vehicle Hijacking By Maker Lazyness

    This situation sucks. Now, when buying a car, one is going to have to go through a number of checks to ensure that the car cannot be easily broken into via passersby smartphone, in addition to all the other stuff to evaluate.

    And the problem is not that Mitsubishi did not think of implementing security - they established a procedure and implemented it - probably after testing it. The problem is, nobody made a quality check - or even a sanity check - with either security engineers or a simple street thug (the latter may be a bit difficult to locate for a car maker, I agree). So what they designed is trivial to crack and nobody is safe.

    I do not want to have to become an engineer to have a secure car. In any case, Mitsubishi is off my buy list until they get this sorted out.

    1. Anonymous Coward
      Anonymous Coward

      Re: Yay, Yet Another Vehicle Hijacking By Maker Lazyness

      You don't to have to be an engineer.

      "Does this car have an app that allows me to control it?"

      "Yes"

      Walk out of showroom..

      1. Anonymous Coward
        Anonymous Coward

        Re: Yay, Yet Another Vehicle Hijacking By Maker Lazyness

        I bought a new car in December, and the salesman was surprises I was removing from the configuration each "gadget" related to apps and remote control of the car.

        "Don't you work in IT? You should like 'em all!"

        "Yes, but I work in IT security."

        1. Lee D Silver badge

          Re: Yay, Yet Another Vehicle Hijacking By Maker Lazyness

          I bought a new car recently.

          My criteria to the guy in the showroom was "I want NO extras, no fancy gadgets, no software junk, basic model."

          He took me to a car with in-car Wifi,entertainment touchscreen, electronic handbrake, hill start assist, tyre pressure monitors, dashboard monitor LCD screen, built in voice control and bluetooth (including PAN connectivity) and no less than 21 buttons on the steering wheel (not including those necessary to drive).

          I said "No, I said I want the base model, no extras"

          "Sir," he said dryly. "This *IS* the base model".

          Given that all the electronics were ON the car, not the car talking to something else, that it was manual-gearbox and not remote controlled (though that was an option) and they didn't directly interfere with driving (i.e. no lane-assist, parking-assist or junk like that), but again all options), I did end up getting that base model. But, hell, the amount of tech in it scares the life out of me.

          21 buttons on the steering wheel is just ridiculous. And even with hands-free voice dialling / call answering for the Bluetooth phone in your pocket, I still refuse to answer calls when driving anyway.

          I saw a video the other day of a guy in a Tesla, asleep. The car has auto-roll-forward for traffic, including auto-braking when it nears the car in front, and lane assist to keep you in the lane. But you should NOT be able to fall asleep while driving in a queue and have it carry on driving for you.

          Sometimes I think tech has gone too far and there's no way back.

          1. Dan 55 Silver badge

            Re: Yay, Yet Another Vehicle Hijacking By Maker Lazyness

            I think with the Teslas you have to have to touch the steering wheel every so often or it stops... although what happens if you have a heart attack and slump over the wheel is anyone's guess.

            1. TonyJ

              Re: Yay, Yet Another Vehicle Hijacking By Maker Lazyness

              "...although what happens if you have a heart attack and slump over the wheel is anyone's guess..."

              You'd crash, I would imagine ;-)

            2. Lotaresco
              Joke

              Re: Yay, Yet Another Vehicle Hijacking By Maker Lazyness

              It's an electric car. It will defibrillate the driver by electrocuting him through the steering wheel.

          2. Anonymous Coward
            Anonymous Coward

            @ Lee D Re: Yay, Yet Another Vehicle Hijacking By Maker Lazyness

            Thats why fitting a large, sharp, pointy metal spike in the middle of the steering wheel IS a good idea.

            1. Stoneshop
              Boffin

              Re: @ Lee D Yay, Yet Another Vehicle Hijacking By Maker Lazyness

              Thats why fitting a large, sharp, pointy metal spike in the middle of the steering wheel IS a good idea.

              So that when you slump over the steering wheel through whatever cause, you stay slumped. No sliding down sideways or whatever.

              Maybe re-purposing some of the steering wheel buttons as defibrillator pads would be more effective.

          3. Chloe Cresswell Silver badge

            Re: Yay, Yet Another Vehicle Hijacking By Maker Lazyness

            21?

            What car, I want to look at the list/photo, as that's insane.

            I though my Mk4 mondeo was bad with 16.

            (2 4way pads, centre select on each, then cruise control on/off/res/can/up and down)

            The jag is nicer (phone, source, volume up/down, select up/down, cruise up/down, res and can) 10 total options only

            1. Lee D Silver badge

              Re: Yay, Yet Another Vehicle Hijacking By Maker Lazyness

              Mk5 Mondeo.

              2 x 4-way pads, with center buttons.

              Cruise control - same as yours.

              Vol+, Vol-, Answer phone, Hangup, Voice Recognition (one-time enable button), mute (mutes music and/or puts caller on hold).

              21.

          4. BillG
            Happy

            Re: Yay, Yet Another Vehicle Hijacking By Maker Lazyness

            My car has no wireless connectivity, and uses an ignition key. My next car will have the same.

            1. John Crisp

              Re: Yay, Yet Another Vehicle Hijacking By Maker Lazyness

              "My car has no wireless connectivity, and uses an ignition key. My next car will have the same."

              Plenty of tuktuks atill available worldwide :-)

              1. Lotaresco

                Re: Yay, Yet Another Vehicle Hijacking By Maker Lazyness

                Tuktuk? I'm holding out for a Dongfeng as my company vehicle.

        2. Anonymous Coward
          Alert

          Rinse, Repat

          As we know, Mitsu is not the only OEM with this issue. ANY vehicle with CAN bus is a target. I am a stones throw from Toyota, Honda, (Torrance) Mitsu (Cypress) Hyundai and KIA, all with issues. The latest cool thing is starting your vehicle remotely. Not only is this dangerous, but in California it is against the law to leave a vehicle running without direct supervision.

          I am still nonplussed about the technology people continue to immerse themselves in, only to find out they are a target. And this is only the beginning gang. Wait until they try to widely incorporate driver-less vehicles.

          http://arstechnica.com/cars/2016/04/car-makers-cant-drive-their-way-to-safety-with-self-driving-cars/

          1. Privatelyjeff

            Re: Rinse, Repat

            California has no law on that directly. Only if there are kids under 6 and no one over 12 in the car or if there is a local ordinance.

    2. asdf

      Re: Yay, Yet Another Vehicle Hijacking By Maker Lazyness

      Admittedly Mitsubishi is scraping the bottom of the barrel but yeah its a problem for other better ran car companies as well.

    3. Stoneshop

      Re: Yay, Yet Another Vehicle Hijacking By Maker Lazyness

      or even a sanity check - with either security engineers or a simple street thug (the latter may be a bit difficult to locate for a car maker,

      Put the pre-production model in one of the less-savoury Tokyo districts, with a few auxiliary measures to get the crook attempting the car theft to, ahem, change his plans according to Mitsubishi's intentions..

  2. Anonymous Coward
    Anonymous Coward

    It seems

    that there is a monumental face palm story every day on sites such as el-reg, where somebody decrees "Hey, this is a good idea" and it does, in fact, turn out to be a total balls up of royal order.

    Why the fuck would i *want* to control my cars lights from a smart phone. Why? WHY???

    You could, for example, make Audis and BMWs have indicators that are not optional extras, that would be a better idea than having the ability to lock, unlock and start my car from a *phone!!!

    *absurd notion and the consortium that decided otherwise should be put up against a wall and shot.

    1. Voland's right hand Silver badge

      Re: It seems

      Giving people who have spent their career working in closed protected environments related mostly to system and process control (ECUs, controllers, etc) the task to write something which is exposed to the outer world and can be attacked at the protocol/message level.

      The end results is that 99% of IoT and I-connected gadgets there are hackable with ease. Cars, smart meters, internet connected alarms and cctv - you name it.

      1. Mage Silver badge

        Re: It seems

        I was telling Profibus researchers maybe ten years ago that security wasn't an optional extra on industrial control and needed to be designed in.

        1. Lotaresco

          Re: It seems

          The situation is worse today. The manufacturers of industrial control systems use version of Windows CE that are already out of support and have those systems on sale today with no plans to replace them in the next two years.

      2. Anonymous Coward
        Anonymous Coward

        Re: It seems

        Never thought I'd ever want to be a commentard, but had to sign up to upvote this. I'm tangentally involved in the Industry 4.0 project and this rings so true about engineers. Every time security is mentioned at best you get blank stares (normally from the engineers) or "but its in the cloud" (usally from management types).

        Its genuinely frightnting to realise how much of the worlds infrastructure is so easily compremised as no-one developing it has even the most basic grasp of security, and as the Internet Of Tat mentallity takes over, I can only see it getting worse as "insecure by design" creeps into every part of our lives.

        1. Paul Kinsler

          Re: the worlds infrastructure is so easily compromised

          I saw the other day a poster for the sequel to Independence Day ... and remembered how ludicrous it seemed that some random ape could hack into a vast starship built by aggressive and intelligent Alien Things, and sabotage it so easily.

          But nowadays it seems much more believable :-)

          1. Dwarf

            Re: the worlds infrastructure is so easily compromised

            And even using a Mac and IP addresses that included numbers larger than 255

            How the world changes

    2. Graham Marsden
      Thumb Up

      Re: It seems

      > the consortium that decided otherwise should be put up against a wall and shot.

      A bunch of mindless jerks who will be first against the wall when the revolution comes... ;-)

      1. Anonymous Coward
        Anonymous Coward

        Re: who will be first against the wall when the revolution comes

        But if it's an internet enabled wall, they'll just be able to walk away/through it with ease....

    3. BurnT'offering

      Re:You could, for example, make Audis and BMWs have indicators that are not optional extras,

      Ain't that the truth.

    4. Anonymous Coward
      Anonymous Coward

      Re: It seems

      Parked in poorly lit car park at night, turn on headlights to improve things a little, or even just to locate the car if you are the sort who forgets where they parked.

      1. Anonymous Coward
        Anonymous Coward

        Re: It seems

        Recently attended a Brooklands 280 rally near me. The ability to turn on the lights remotely would have been great for the hundreds of drivers trying to locate their car that evening in a dusk-lit field. (For those who don't know, 95% of Brooklands 280s look identical in every way)

      2. Sandtitz Silver badge

        Re: It seems @AC

        "Parked in poorly lit car park at night, turn on headlights to improve things a little, or even just to locate the car if you are the sort who forgets where they parked."

        I'm not convinced. If I press the lock button on my ignition key the turn lights blink for a few times. That feature is several decades old and doesn't need a fancy app. Some cars may even honk the horn for easier locating.

      3. toughluck

        Re: It seems

        I have an 11 year old Citroën that blinks its indicators for 20 seconds if it's locked and if I press the "lock" button on the remote. There's a third button to turn headlights on/off. Oh, and holding the "lock" button shuts the windows.

        This problem was solved ages ago. What else would I want from a car remote?

      4. Lotaresco

        Re: It seems

        Right and the reason that the button on my remote that lights the headlights and leaves the doors locked is less useful than an app that I use by unlocking my mobile phone, starting an app, waiting for it to load and then navigating to the appropriate page is what, exactly?

  3. wolfetone Silver badge

    Not Just Cars

    I invited a British Gas engineer to come to my house in February to quote me on a new boiler (we had just moved in and the boiler seems to have been built in 1930).

    He does the usual thing that these engineer-come-salesmen hybrids do, umming and arring about what I have and what needed replacing. He asked if I wanted to change the thermostat in the hall to a newer one, which I said yes to. He started banging on about the Hive thing that they sell, at which point I cut him off and said no. He was surprised, and said "It's unusual that anyone says no to that, why don't you want it?". I told him that if I could change the temperature of my home from my office 20 miles away, then any old clown could do so too.

    He had no come back to that.

    1. Wade Burchette

      Re: Not Just Cars

      That is my too: if I can access this device remotely, then so can billions of other people.

      If it ever gets to a point where "connected cars" are the standard, then the first thing I am going to do with my car is pull the fuse that controls it. If other useful electronics are on the same circuit, they I will find the service manual and disconnect the components. There is always a way.

      1. wolfetone Silver badge

        Re: Not Just Cars

        "If it ever gets to a point where "connected cars" are the standard, then the first thing I am going to do with my car is pull the fuse that controls it. If other useful electronics are on the same circuit, they I will find the service manual and disconnect the components. There is always a way."

        I thought ahead, I bought a 1998 Toyota Corolla for £250 last month. I'd like to see someone hack that with a mobile phone!

        1. sjaddy
          Trollface

          Re: Not Just Cars

          "I thought ahead, I bought a 1998 Toyota Corolla for £250 last month. I'd like to see someone hack that with a mobile phone!"

          A 1998 Nokia 5110i through the side window would probably be a start ;)

      2. psychonaut

        Re: Not Just Cars

        " the first thing I am going to do with my car is pull the fuse that controls it. "

        sometime in the <near future>

        Dave to car: "Car, please tell me where the fuse is for board x19-486"

        Car to dave: "Dave, the fuse is under the steering wheel"

        Dave to car: "thats odd, the manual says its in the engine bay"

        Car to dave: "no, it was moved on the last recall. wasnt secure enough."

        Dave to car: "Ok"

        Car to dave: - "yes thats right....get right in there under the wheel"

        meanwhile, on the incar infotainment system...

        ...car os v2001...automode

        ....loading....DONE!

        ...lock doors.....DONE!

        ...engine start.....DONE!

        .....reroute exhaust.......DONE!

        ....internal fans on full....DONE!

        Car to Dave "im sorry, Dave, i cant allow that to happen....."

  4. Dan 55 Silver badge
    Facepalm

    WTF kind of idea is this anyway?

    Built to tick the marketing departments' tickboxes by a team with no idea of security and of no practical use whatsoever. Send them up on the B Ark.

    1. John Gamble

      Re: WTF kind of idea is this anyway?

      You do recall that the B Ark populace are the ones that survived, yes?

      1. Chloe Cresswell Silver badge

        Re: WTF kind of idea is this anyway?

        Worse, they survived and became us!

        1. Dan 55 Silver badge

          Re: WTF kind of idea is this anyway?

          Not all of us, just PMs.

  5. Mage Silver badge

    WiFi vs Mobile

    Local access rather than access over the Internet and mobile is preferable. It's done rather badly.

    The idea of controlling ANYTHING on a vehicle you can't actually see is a fail. Remote reporting is a separate kettle of fish, I mean privacy issue.

  6. pompurin

    Why is having it restricted to local Wifi a huge disadvantage?

    I can't see why I would want to do any of these remote things unless I was in close proximity anyway.

    Actually I think Mitsubishi have it right with the local WiFi hotspot rather than going over a local GSM Network. They just picked a far too weak pre-shared Key. I would be more concerned of a large scale attack on a car manufacturer which then allowed them access to thousands of cars. It also allows the car manufacturer remote access to your car.

    Also what use is a GSM based App to an end user if you're anywhere outside a mobile phone signal range?

    1. psychonaut

      Re: Why is having it restricted to local Wifi a huge disadvantage?

      yeah, i thought that too. i mean, you are unlikely to need to unlock your car from, say, Brazil, if your car is in London

      or change you r heating whilst you arent at home

      or make a fucking piece of toast,

      or turn off your refrigerator

      or...OH FOR FUCKS SAKE JUST STOP THIS CRAZY SHIT YOU STUPID BASTARDS

      1. werdsmith Silver badge

        Re: Why is having it restricted to local Wifi a huge disadvantage?

        or change you r heating whilst you arent at home

        This is a good thing, I do it all the time - using a timer and thermostats rather than remote control. But the point is, the heating comes changes when I'm not at home, after being off all day it starts to warm the house up so it is ready for people arriving home. Because it takes 30 minutes or so.

        If I did not have such regular times then I might appreciate a pre-warming control.

    2. Dan 55 Silver badge

      Re: Why is having it restricted to local Wifi a huge disadvantage?

      But what's the point? You have to be in WiFi range to flash the lights to find your car in a crowded car park... so you might as well be pressing the button on the key fob* anyway.

      * which is another security nightmare.

    3. Daniel 18

      Re: Why is having it restricted to local Wifi a huge disadvantage?

      Because if you don't have GSM you can't be tracked, hacked, and monitored from anywhere in the world.

      1. psychonaut

        Re: Why is having it restricted to local Wifi a huge disadvantage?

        yeah, but you can do that with a timer and a thermostat. i could do that 20 years ago, i can do it now. heck, the controller in my old house is a 30 year old honeywell. it works just the same. it still works...no firmware upgrades or hacking attempts. it doesn't need to be interwebbed.

  7. Anonymous Coward
    Anonymous Coward

    At least they couldn't (yet) drive the car away. Anyone remember Ford from the Mk III Cortina days when there were only a few keys shared between all of them? If you had the set (six, if memory serves) you could take your pick of any Cortina or Escort you wanted. And my mum got into and started up completely the wrong Vauxhall Cavalier once, so it was the same story there (she realised before pulling away though, so there's no exciting police chase to report).

    1. Sgt_Oddball

      Didn't they later...

      After changing the keys to the funky slim rod type things had an issue where half a tennis ball struck hard would pop the lock with ease. Explains why Escort Cosworths were so easy to drive off.

      1. Anonymous Coward
        Unhappy

        Re: Didn't they later...

        True. So all we have to do is put up with 30 years of easily steal-able internet connected locks and we'll be back to what we finally achieved a few years ago, where the only way to steal the car was to gain access to the physical key.

      2. DropBear
        FAIL

        Re: Didn't they later...

        "tennis ball struck hard would pop the lock"

        Wrong.

    2. Hans 1
      Happy

      A mate of mine once forgot where he had parked his car and drove off in the wrong BMW 3 series ... it did not surprise him that there was a box of lager in the trunk when he filled it with the shopping, he just thought it was the missus ... when he got home, he noticed his laptop bag was not in the trunk ... after he had gotten all the shopping out ... went back to the supermarket, reported what had happened ... half an hour later, another punter called the supermarket ... and problem solved ... red faces etc this was the 90's.

  8. Anonymous Coward
    Anonymous Coward

    manufacturer fail...

    "it should be noted that without the remote control device, the car cannot be started and driven away."

    FAIL. That is precisely what the man-in-the-middle attack demonstrates!

    This complete lack of understanding of the new world that vehicle manufacturers are venturing into, is the reason why I'm sticking to old-school 'dumb' vehicles.

    The best anti-theft device I've ever seen was fitted by a mate of mine to his old Triumph Dolomite Sprint. He placed a toggle switch in a discreet location, which disabled the car's electric fuel pump. Sure the car might get nicked, given the trivial ease by which you can get into these old cars, but it wouldn't get further than a 100 metres down the road even if hotwired.

    1. Sgt_Oddball

      Re: manufacturer fail...

      My old man did the same to his G-wagon, though he went over the top as usual. Fuel pump cut off, ignition cut off add in different places and a dash mounted engine cut off that triggered the alarm if the other two weren't turn on first.

      You just had to remember to turn everything off again when you parked up... (he is a sparky so he doesn't do things by halves)

      1. lglethal Silver badge

        Re: manufacturer fail...

        My old Holden LJ Torana came with a kill switch hidden under the dashboard. If you didn't turn it off, there was nothing you could do to get the car up and running. Admittedly, no doubt professional thieving sods of the time knew exactly where to look for the kill switches, but these days a kill switch would be highly effective I imagine...

        1. Anonymous Coward
          Anonymous Coward

          Re: manufacturer fail...

          Many Austins / Rovers (e.g. Montego) had a little fuel pump switch behind the centre console to cut off automatically in the event of an impact. Pull it up, kill pump. Push it down, power restored.

          Granted, if you were nicking one, there was a good chance it would break down or a body part would fall off within a mile anyway, but that's a different story.

          1. Sgt_Oddball

            Re: manufacturer fail...

            Lets be honest now, if you were stealing one, you'd generally be doing the owner a favour. (My granddad had a Montego.... came with a free pack of cigs. Spray painted under the spare tyre. Boy could he pick them... he also left it on the estate he lived unlocked for a week to see if it would get stolen. Didn't move an inch all week)

  9. Cuddles

    The title is too long

    "This means that drivers can only communicate with the car from within Wi-Fi range, a huge disadvantage."

    The exact opposite actually. There's absolutely no reason you could ever need to fuck around with your car from the other side of the country, while having a short range connection means that no-one else can fuck around with it from there either. In addition, it doesn't matter what distance from your car you might be if you don't have a phone signal, while pretty much the only reason wi-fi could fail is if your batter dies, which would obviously affect GSM just as much.

    "Once unlocked, there is potential for many more attacks against the car."

    No shit. Having full physical access to a car allows you to do stuff to it. There don't need to be any computers or wi-fi shenanigans involved for that to be the case.

  10. Anonymous Coward
    Anonymous Coward

    I agree with all the complainers about vehicle inesecurity systems, but I suspect the majority of you have a smartphone, smart TV, or even house alarm system, which is much more cause for concern than this particular car.

    1. Lamb0
      Black Helicopters

      Call me the vocal minority...

      I have NONE OF THE ABOVE! ;<}

    2. Anonymous Coward
      WTF?

      Only a smart phone and that doesn't cost £40K.

  11. Dieter Haussmann

    Japanese just don't do software, look at SONY.

    Look at what you get with Japanese cameras and scanners.

    1. Anonymous Coward
      Anonymous Coward

      Eh? What are you on about?

    2. Dan 55 Silver badge
      Coffee/keyboard

      'Cos HP's printer and scanner software is amazing...

      1. Steve Graham

        RE: 'Cos HP's printer and scanner software is amazing...

        Their wireless hardware is outstanding too. When my neighbours plugged in their new printer, my laptop could 'see' the AP.

        I live in a rural location. My neighbours are 250m away across the fields.

        (Unfortunately, they must have opted for a wired connection and disabled the wifi. Otherwise, their printer might have become haunted...)

        1. werdsmith Silver badge

          Re: RE: 'Cos HP's printer and scanner software is amazing...

          Way back when I was a kid the people across the road from us had the same TV as us rented from the same company. The remote control range was amazing, and they had their TV replaced twice before they changed to a different TV. We haunted their TV like crazy, and I don't think they ever worked out that the TV didn't give problems when the curtains were closed.

  12. Rob Crawford

    Oh well now I know what those 5 entries in the SSIDs logs are, I'm was surprised that there are so many Mitsubishi WiFi access points roaming past my house

    Along with the Skoda, Vauxhall, Ford, Porche, Audi, Mercedes and BMW.

    1. psychonaut

      SSID: ThisisntJustAnyWifiAPThisIsaMarksandSpencersLovely84GhzWifiMadeFrom

      VirginsTitsAndFlangeBatter

  13. BurnT'offering

    A Mitsubishi Outlander has the strongest possible anti-theft safeguard

    It's a Mitsubishi Outlander

    1. BurnT'offering

      Re: A Mitsubishi Outlander has the strongest possible anti-theft safeguard

      Down-voted by Outlander owners? One of the few perks of ownership

      1. psychonaut

        Re: A Mitsubishi Outlander has the strongest possible anti-theft safeguard

        if you get the one with the electric heater, it eats all the battery all the time....the 3h i believe...

        nearly bought a phev..did a lot of research. 4h doesnt have that heater problem, although the salesman didnt tell me that. quite liked it actually. and, contrary to previous posts, its pretty quick off the line (for a big heavy thing...i have a z4 and and an xtrail. its somewhere in between...more to the xtrail end of the spectrum admittedly). spacious, great if you are doing under 30 miles a day. you can get a recharge port installed for almost nothing due to grants (or you could) at your home. if you have solar panels as well, you are on a winner.

        just didnt think it was quite the right time to invest in the tech...a few more years....

        hopefully tesla will do a model t ford and blow the market to bits in the near future. one of my cousins has a tesla....wow, its a great piece of tech..amazing actually, but let he first adopters adopt..those with the very deep pockets....and things will change

  14. Yugguy

    Nope

    To be fair these things are so slow you could probably run and catch it before the drove it away,

    This is why I don't want external connectivity of this kind.

    I have a W204 C class Merc, internally there is a lot of computerisation, the cruise talks to the engine and brake system, the Comand talks to the instrument cluster, there's brake assist and auto lights and wipers and seat belt tensioners and all sorts of bollocks.

    But the only way to talk to the internal computerisation is via a physical port. And that's the way I like it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Nope

      I wouldn't polish the Mercedes halo too much. There are multiple problems with Merc software also with some Mercs sharing the Jeep Cherokee (formerly Daimler-Chrysler) system. On a simple functional level an Italian journalist reported an incident a couple of years ago where a Merc system crash caused his diesel engined C-class to stop on the autostrada. This seems to have been an isolated incident but don't imagine that air gapped means invulnerable.

      1. Anonymous Coward
        Pint

        Re: Nope

        Indeed but a Distributor Cap failure (dont ask) caused me to end up stranded on the outside lane of a motorway (the go faster one), its not just the IT that can cause problems. No joke.

        A beer because that's what I needed afterwards, several beers n fact.

        1. psychonaut

          Re: Nope

          im asking. a dizzy? are you from the past?

        2. psychonaut

          Re: Nope

          had the accelerator cable on my westfield snap whilst doing an overtaking manouvre. admittedly, i'd build the fucking thing, so my fault...but i share your pain there

  15. Chris Miller

    I run an Outlander PHEV

    The phone app has the following capabilities:

    Shows the state of battery charging - I use this a lot

    Turn heating on/off - very useful on cold mornings to warm the car before setting off

    Turn on headlights - possibly useful if it's night in a big car park and you've forgotten where it is, but I've never used it

    Timers - for automatically charging the car at a set time, don't use this

    Change car settings - which includes the alarm function.

    As Mitsubishi state, you can disable the car alarm, but if you want to drive it away, you'll need a key. I can't say this is my greatest concern.

    1. David_H
      Happy

      Re: I run an Outlander PHEV

      I own one as well.

      My wife could not make a good case for actually needing any of the Wi-Fi functions, so they stayed disabled.

      I bought her a new coat so that she doesn't need to turn the car heating on in the winter. Sorted!

      Very happy with the car. 26 mile trips on battery only (in the summer, as lights, wipers and wet roads mean I can only get 24 miles on the charge.) Silently pulling the caravan off muddy fields with the 4WD gets many looks of admiration. Enough room to carry 2.4m lengths of wood in the car. Only downside is that it's too long to fit in the garage unless I take my racking down (not going to happen!)

      1. Anonymous Coward
        Anonymous Coward

        Re: I run an Outlander PHEV

        Same here with my Outlander.

        I played with the WiFi when I first got it but got fed up with my phone connecting to it rather than my house wifi (and thus no internet connection) so I disabled the WiFi in the car.

        As the car can't be driven away by someone using this hack then I am not too worried.

        The stupid Chrysler that I'm driving (rental) has two effing wifi points. One in the front and one in the back for the kids. They are both 3G connected but the SIM's thankfully didn't work unless I opted to pay the extra for Internet Radio.

        Naturally there was no owners manual in the glovebox so I had to find a dealer in order to work out how to disable it. The dealer was surprised by this because the WiFi hotspots were a top selling point.

        American families seem to have little or no brain apparently.

        1. psychonaut

          Re: I run an Outlander PHEV

          2 wifi ap's inside a car? how shit is each one???

    2. Lee D Silver badge

      Re: I run an Outlander PHEV

      "drive it away" is optional once you're inside the car with all the time in the world. Hell, you could just release the brake and tow it late at night, who's going to know?

      1. Chris Miller

        @Lee

        The Outlander has an electronic handbrake (a parking brake like most automatics), so you still need a key. To be fair, once you're inside, you can (like most cars) gain access to the various buses that provide computer management of the car, so it's possible you could override it, but I think joyriders would probably look for an easier target.

        @David, yes my experience is similar. When buying any EV, it's vital to understand how your driving patterns fit with the car, but if you do a lot of trips <20 miles, you can get >>100 mpg. Even adding the cost of a recharge (about £1, so equivalent to a litre of petrol) I still average over 70 mpg, which is pretty amazing for a 2 ton petrol-engined 4WD SUV. If you spend most of your time cruising motorways, consumption will be a lot worse, of course.

        1. This post has been deleted by its author

  16. AOD
    FAIL

    Yet another kind of drive-by

    The only way that this will get the focus it deserves is if customers and insurers react in the same way as back in the 80's when hot hatch nicking was at it's peak. One of the results of that was Thatcham which slowly dragged (UK) car security (and manufacturers) into the (then) current century.

    Once insurers started pusing premiums to eye watering levels, customers sat up and took notice, as did car manufacturers when their sales started going through the floor.

    It took a while but before long, certain brands started including Thatcham alarm/immobilisers as standard fit items rather than as options.

    Thatcham need to take a similar view on automotive cybersecurity as well with either an equivalent to Cat 1 or even better, make it part of the Cat 1 certification.

    1. Sgt_Oddball

      Re: Yet another kind of drive-by

      What we really need is for manufactures to realise that we own cars for more than a couple of years. As such all of this software related trickery is going to age and fail, badly (seriously, how long before some car has a serious issue with the 'int' limit?). It's also becoming more and more obvious that once someone figures out how to crack open a certain car, if it's desirable then it'll end up in the hands of crims before you can say 'taken without consent', so ignoring the issue is going to bite the manufactures the in arse, then the face.... then the wallet.

      As such I'd like the makers to start offering us cars without all of the trickery for getting into the car and instead rely on tried and trusted methods....like maybe something physical, made of hard wearing metal....oooo I dunno, about an inch and 'alf to two inches long? Thats maybe, just maybe made for our car and our car alone? It shouldn't do anything funny like open the car before physical contact or use radio waves for anything other than to receive and play through the stereo. Is this too much to ask?

      This way, least the little.....people of questionable parentage have to at least work for it rather than just stroll up and drive off.

  17. Bob Dole (tm)
    WTF?

    This hacking is a first for us as none other has been reported anywhere else in the world.

    "This hacking is a first for us as none other has been reported anywhere else in the world.", Mitsubishi 2016.

    Do we really have to go through all this "we've never had to deal with this before" BS for every new device some company wants to plug up to the internet? I hate asking the government (any of them) to get involved in my life but at this point I would absolutely support someone that wanted to fine or put in jail programmers who fail to implement well known precautions against hacking attempts.

    This is just bonkers.

    1. Mark 85
      Unhappy

      Re: This hacking is a first for us as none other has been reported anywhere else in the world.

      On the bright side, at least the access key isn't "password" or "1234".

  18. Nifty Silver badge
    Facepalm

    Hmm to avoid all this kind of widgetry my next car's going to be Korean.

    North Korean.

    1. Anonymous Coward
      Trollface

      North Korean Cars

      Oh, it will have all the electronics that a Japanese car will, they just wont work.

      1. Lotaresco

        Re: North Korean Cars

        It's also possible to avoid all electronic security woes by buying an Italian car. Yes it will be loaded with electronic nonsense but you won't want to use any of it because the functionality will be dreadful, on the rare occasions when it works, most of the time it just won't work.

  19. Dwarf

    Just in time for Infosec 2016

    Nice marketing Ken !

    Seriously though, take a look at their videos on YouTube. Last year was quite entertaining and food for thought. Scales, Kayla and WiFi CCTV hacking if I recall.

    Not that your marketing tricks work on me.

    .. Oh, hang on ... damn.

    I'm not affiliated to PTP, but I can see a capable bunch of Chaps!

    1. Lotaresco

      Re: Just in time for Infosec 2016

      ... and the iKettle and some "smart" TVs. ken and his gang have been very busy and also very entertaining.

  20. Kevin McMurtrie Silver badge

    Could be worse

    Give me WiFi any day. VW's Car-Net is Verizon cellular and can't be disabled without taking the dashboard apart. It costs $18/month if you somehow find a use for it.

  21. Christian Berger

    Obligatory Knight Rider reference

    https://youtu.be/kki3MjmGtY0?t=226

  22. Ralph B

    Additional Security Measure

    Surely the white hats have missed the additional security measure that Mitsubishi have implemented here: They have gone to the trouble of creating a car that no-one in their right mind would want to steal, let alone have to invest 4 days brute-force hacking in order to do so.

  23. Lotaresco

    Well at last I can comment

    Ken gave an excellent talk at the Cyber Security Professionals event in York this year. Those of us with an interest in the IoT were subject to a verbal NDA about the issues described here and some deeper details of the vulnerabilities which give me greater cause for concern.

    The response from Mitsubishi "This hacking is a first for us as none other has been reported anywhere else in the world." also causes concern. I can't believe that a large corporation imagines that this is a sensible response to a notification that their vehicle security is this poor.

    Sadly the same response has been made to me over the last two years by several companies. One vendor tried to avoid fixing a vulnerability that would auto-execute code uploaded to their web application using exactly the same excuse. I'm not sure what the implication is supposed to be "No one else noticed it, so you are telling lies"? It's similar to the denials made by TalkTalk about being hacked.

    Here's a clue to the sales droids and the heads of companies that receive notifications similar to this one. The appropriate and non-damaging response is to thank whoever brought this to their attention, to state that the company takes this matter seriously, that the company will immediately seek independent confirmation of the discovery and, if possible, customers should take the following steps [...] to avoid issues until the company can issue a fix. Don't try to cover it up and claim it's a non-issue. That makes the company look like shifty idiots who don't care about their customers.

    1. DropBear
      Joke

      Re: Well at last I can comment

      Oh, I'm sure they'll realize soon enough there's an extremely simple fix that mitigates all possible security concerns comprehensively and fully: just stop broadcasting the WiFi SSID....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like