Canadian Underwriter
News

U.K. penetration testing firm hacks into SUV through mobile app


June 9, 2016   by Canadian Underwriter


Print this page Share

United Kingdom-based Pen Test Partners LLP said recently that it has hacked into a Mitsubishi Outlander plug-in hybrid electric vehicle (PHEV) through a mobile app.

outlander

Pen Test Partners LLP said that it has hacked into a Mitsubishi Outlander plug-in hybrid electric vehicle (PHEV) through a mobile app. Photo: Mitsubishi Motors.

Pen Test Partners said in a blog post on June 5 that while most remote control apps for locating a vehicle, locking it remotely, etc. work using a web service hosted by the car vehicle manufacturer or their service provider. The Outlander PHEV, however, has a Wi-Fi access point on the vehicle instead of a GSM module.

“This has a massive disadvantage to the user in that we can only communicate with the car when in Wi-Fi range,” Pen Test Partners wrote in the blog post. “Unfortunately, we found that this system had not been implemented securely.”

To hack into the SUV, the testers replayed various messages from the mobile app. After figuring out the binary protocol used for messaging, they could successfully turn the lights on and off, “force the car to charge up on premium rate electricity,” turn the air conditioning or heating to on or off and disable a theft alarm, the blog post said.

Miller attempts to rescue the Jeep after its brakes were remotely disabled, sending it into a ditch. Andy Greenberg/WIRED

Charlie Miller attempts to rescue the Jeep after its brakes were remotely disabled, sending it into a ditch. Andy Greenberg/WIRED

The hacking came less than a year after tech magazine WIRED reported in July 2015 that hackers had taken control of a Jeep Cherokee via its Internet-connected entertainment system. The hacking prompted Fiat Chrysler Automobiles to conduct a voluntary recall to update software in approximately 1.4 million U.S. vehicles equipped with certain radios.