Establishing Digital Trust: Don't Sacrifice Security for Convenience
Researchers at Pen Test Partners recently uncovered a vulnerability in the Mitsubishi Outlander plug-in hybrid's on-board Wi-Fi system, BBC News reports.
The researchers discovered that the vehicle's mobile app connects to the car via Wi-Fi, and then gives the user control over various functions in the car itself.
"I assume that it’s been designed like this to be much cheaper for Mitsubishi than a GSM / web service / mobile app based solution," Pen Test researcher David Lodge wrote in a blog post detailing the findings. "There’s no GSM contract fees, no hosting fees, minimal development cost."
"Unfortunately, we found that this system had not been implemented securely," Lodge added.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Once the Wi-Fi connection had been hacked, Lodge was able to turn the car's lights on and off, force the car to charge, turn the air conditioning and heating on and off -- and disable the alarm.
And with the alarm disabled and the car broken into, Lodge noted, many more attacks are possible. "The on board diagnostics port is accessible once the door is unlocked," he wrote. "Whilst we haven’t looked in detail at this, you may recall from a hack of some BMW vehicles which suggested that the OBD port could be used to code new keys for the car."
The short term solution for Outlander owners, Lodge wrote, is to disable the car's Wi-Fi module. Longer term solutions could include a firmware update for the Wi-Fi module and, ideally, a change from Wi-Fi to GSM as a method of connecting the mobile app to the vehicle.
Cigital managing consultant Art Dahnert told eSecurity Planet by email that the Mitsubishi hack is a perfect example of how the auto industry is struggling to meet the security challenges of the Internet of Things (IoT). "It is very important that any product involving internet or wireless connectivity be heavily scrutinized from a security perspective, hopefully, as part of the design process," he said. "If that is not part of the initial development cycle, then at least having reputable security researchers perform an analysis of the implementation prior to shipping to market will save a lot of time and money addressing any serious issues after it reaches customers' garages."
"The design choice that Mitsubishi made in this example has directly led to a serious security flaw that could lead to theft of the vehicle or other possible safety issues," Dahnert added. "These are real world impacts to the customer and can severely damage their brand as well as bottom line."
According to the results of a recent IOActive survey of 129 security professionals conducted in March 2016, 47 percent of respondents said they believe less than 10 percent of all IoT products on the market are designed with adequate security, and fully 85 percent believe less than 50 percent of IoT products are secure.
"Consensus is that more needs to be done to improve the security of all products, but the exponential rate at which IoT products are coming to market, compounded by the expansive risk network created by their often open connectivity, makes IoT security a particular concern and priority," IOActive CEO Jennifer Steffens said in a statement.
A recent eSecurity Planet article offered advice on improving IoT security.