June 9, 2016 by Canadian Underwriter
United Kingdom-based Pen Test Partners LLP said recently that it has hacked into a Mitsubishi Outlander plug-in hybrid electric vehicle (PHEV) through a mobile app.
Pen Test Partners said in a blog post on June 5 that while most remote control apps for locating a vehicle, locking it remotely, etc. work using a web service hosted by the car vehicle manufacturer or their service provider. The Outlander PHEV, however, has a Wi-Fi access point on the vehicle instead of a GSM module.
“This has a massive disadvantage to the user in that we can only communicate with the car when in Wi-Fi range,” Pen Test Partners wrote in the blog post. “Unfortunately, we found that this system had not been implemented securely.”
To hack into the SUV, the testers replayed various messages from the mobile app. After figuring out the binary protocol used for messaging, they could successfully turn the lights on and off, “force the car to charge up on premium rate electricity,” turn the air conditioning or heating to on or off and disable a theft alarm, the blog post said.
The hacking came less than a year after tech magazine WIRED reported in July 2015 that hackers had taken control of a Jeep Cherokee via its Internet-connected entertainment system. The hacking prompted Fiat Chrysler Automobiles to conduct a voluntary recall to update software in approximately 1.4 million U.S. vehicles equipped with certain radios.