
Hacking the Mitsubishi Outlander PHEV hybrid - cybergibbons
https://www.pentestpartners.com/blog/hacking-the-mitsubishi-outlander-phev-hybrid-suv/
======
ju-st
> So, we involved the BBC who helped us get their attention. Mitsubishi have
> since been very responsive to us! They are taking the issue very seriously
> at the highest levels.

So Mitsubishi apparently has no business process for reporting security issues
but they are aware that security is important!

~~~
csours
DISCLAIMER: I work for GM.

I was shocked to read that GM was the second major (first if you don't count
Tesla as major) automaker to set up a responsible disclosure program. [1]

1\. [http://arstechnica.com/security/2016/01/gm-embraces-white-
ha...](http://arstechnica.com/security/2016/01/gm-embraces-white-hats-with-
public-vulnerability-disclosure-program/)

~~~
vvanders
Except that GM pays zero dollars for their bug bounties, unlike Tesla:

[https://bugcrowd.com/tesla](https://bugcrowd.com/tesla)

~~~
csours
Can you find me Toyota's bug bounty or responsible disclosure page? BMW?
Mercedes? Ford? Any other major OEM?

I know that GM has done many bad things and done many things badly in the
past, but it does seem that an old dog can learn new tricks.

~~~
tobltobs
Bounties not involving any compensation are indeed a kind of new trick.

------
djrogers
Other than the PSK being too short, this isn't nearly as unreasonable an idea
as the author makes it sound like. Honestly, do you really think a 24x7
internet connected car running all of it's remote access off a web service is
going to be MORE secure than something that can only be accessed locally
(+-100 yards) with a unique key? Give me a break...

Besides, it seems like a rather simple solution would be to simply allow
owners to change the PSK for the AP in the car.

------
United857
Here, false alarms from cars are so common most people have grown to just
ignore them.

No need to disable the alarm; it is already largely useless for its intended
purpose. :/

~~~
pkolaczk
I think thieves don't want to take unneeded risks. Otherwise, no protection
would make any sense and we could as well just leave the doors open. Even if 9
out of 10 times the alarm going off wouldn't be noticed, the remaining chance
could still discourage some thieves and make them run away.

Actually that has happened once to my parents' car. The alarm saved the
wheels. Thieves wanted to steal the wheels (not the whole car) and they
managed to unscrew 3 of them when they accidentally activated the alarm and
ran away. Funny, they left their car jack behind.

Anyway, it is a pity they didn't analyze the security level of the OBD2
interface and other systems connected to the ECU or CAN bus. I saw a few
youtube videos of thieves stealing cars in a way they enter into a car and in
a few minutes they just switch the engine on and drive away. From the outside,
it really doesn't look suspicious - probably most people seeing this would not
notice the car was being stolen. This shouldn't be that easy - there's
certainly something wrong with the design of the factory anti-theft systems.

~~~
jandrese
That's the difference between professional and amateur thieves. Professionals
don't give a crap about the alarm because they would have all of the wheels
off and gone before anybody could respond anyway.

~~~
pkolaczk
"they would have all of the wheels off and gone before anybody could respond
anyway."

I wouldn't be so sure about it. I heard stories (directly from friends, not
only from the Internet) about thieves being stopped by a custom / non-standard
/ less known protection installed in a car. A thing that the thief does not
know in advance and has to first figure out how to crack it. If the alarm goes
off, it gives less time to crack the other security systems.

------
simik
4 letters + 6 digits PSK, roughly 39 bits of entropy, about 730 hours to
exhaust the search space on a single GTX 970/R9 290X.

EDIT: I'm surprised it costs 1,000 GBP to cloud-hack a PSK of this length,
considering there are lots of GPUs mining cryptocurrencies at about $0.15 an
hour.

~~~
sp332
Per hour, the cloud is way more expensive than owning your own hardware.

~~~
hexane360
I need to get in on this business :P

------
mschuster91
> Whilst we haven’t looked in detail at this, you may recall from a hack of
> some BMW vehicles which suggested that the OBD port could be used to code
> new keys for the car.

AFAIK, at least officially licensed BMW dealerships can do this, and the VW
software (VAG COM) for car shops has leaked countless times.

As soon as you have access to the OBD port, all you need is either cracked
dealer software or some low-paid dude with an interest in earning side money
and keys to the dealership. Or, if you want to avoid people calling the cops
on you, buy/steal a tow truck with a lift. No one will call the cops if they
hear a thief alarm and a tow truck with flashing yellow lights - people will
assume either the legit owner has a breakdown or, to up the game if you have
another (stolen) car with blue lights, the cops are towing the vehicle.

------
callesgg
So i first have to sit hours and wait until someone that has their phone setup
to connect to that wifi comes along so i can sniff the hashed keys. I start
cracking the password, and after a few hours goes by i can finally get in to
the car and somehow use a security bug that is accessible from the odb port to
add a new key. Then drive of.

The hole thing is kind of meh.

~~~
King-Aaron
Driving away in someone's car isn't always why someone might want to break
into it. Someone with enough technical knowledge combined with a mental state
compelling them to obsess over a victim could be a scenario where this is an
issue.

------
stuff4ben
Welcome to the glorious Internet of Things where security is an afterthought
(or barely thought about).

~~~
tobz
This model isn't internet-connected at all.

