Do you own a Mitsubishi Outlander?
-
https://www.pentestpartners.com/blog/hacking-the-mitsubishi-outlander-phev-hybrid-suv/
Most remote control apps for locating the car, flashing the headlights, locking it remotely etc. work using a web service. The web service is hosted by the car manufacturer or their service provider. This then connects to the vehicle using GSM to a module on the car. As a result, one can communicate with the vehicle over mobile data from virtually anywhere.
The Outlander PHEV does it differently. Instead of a GSM module, there is a Wi-Fi access point on the vehicle. In order to connect to the car functions, we have to disconnect from any other Wi-Fi networks and explicitly connect to the car AP. From there, we have control over various functions of the car. http://www.hackers-arise.com/#!Hacking-the-Mitsubishi-Outlander-PHEV/c112t/5756faea0cf24c9615a3ef4b
Making this vehicle even more vulnerable is the security implementation of the Wi-Fi, or rather, the lax security implementation. First, the WiFi AP password is in the owner's manual. Second, the AP's all have SSID's that fit a pattern of "REMOTEnnaaaa" where the "n" is any number and the "a" is any lowercase alphabetic. Finally, the passwords are relatively short and simple making them vulnerable to brute force cracking.
There are over 100,000 of these Mitsubishi Outlanders sold, so there is likely one near you. Of course, you could simply walk down the street looking for them or you could do an automated search for the SSID pattern unique to this vehicle. We could use the Wireless Geographic Logging Engine at www.wigle.net (wigle.net catalogs WiFi AP's and indexes them by GPS coordinates). https://wigle.net/phpbb/viewtopic.php?p=8869
In the interest of personal safety, we've agreed to a request from the Mitsubishi Motors Corporation to remove the observations of Outlander PHEV beacons from our database.
-
@all_users
I wonder how the design process works... I am sure they spend a lot of time discussing the features, choosing the components etc.
A remote-control feature surely involved a lot of work.
The ability to change the SSID + password is a natural solution that comes to mind instantly.
It can be refined further for convenience, for example instead of user inventing a password, it can be generated and then shown on the screen, even better with a QR code. The most comfortable option can be chosen by testing with users.
They must have known this, so why did they choose otherwise?
-
Also, what exactly is wrong with bluetooth for this application? It's not as if they try to stream video or do some other high-bandwidth stuff, at least based on the information from the article?
I'm also not sure about this trend of putting a wifi AP into everything and requiring communication by that. It's going to get really annoying then you have two or more devices that do that.
-
@cvi said in Do you own a Mitsubishi Outlander?:
It's not as if they try to stream video or do some other high-bandwidth stuff, at least based on the information from the article?
Not in base models, no. Exclusive version gets this though:
-
@cvi said in Do you own a Mitsubishi Outlander?:
not sure about this trend of putting a wifi AP into everything
Bah. You're just a Luddite who fears change.
-
@Adynathos said in Do you own a Mitsubishi Outlander?:
I wonder how the design process works...
I'm guessing it involves “mushrooms”.
-
@cvi said in Do you own a Mitsubishi Outlander?:
what exactly is wrong with bluetooth for this application
Maybe range is smaller than WIFI?
"locating the car, flashing the headlights, locking it remotely" - it may be far
-
@flabdablet Owning two devices that each require connecting to their wifi hotspot for them to be usable/useful probably turned me into one.
-
@Adynathos said in Do you own a Mitsubishi Outlander?:
@cvi said in Do you own a Mitsubishi Outlander?:
what exactly is wrong with bluetooth for this application
Maybe range is smaller than WIFI?
"locating the car, flashing the headlights, locking it remotely" - it may be farConsidering that WIFI's ranges are not that much higher under realistic conditions (at least when you're broadcasting in all directions), I dare say that you haven't won much.
-
@cvi Don't worry, Bluetooth isn't much better most of the time.
ESPECIALLY WHEN WINDOWS FUCKING 10 STILL DOESN'T HAVE A FUCKING
CONNECT
BUTTON FOR BLUETOOTH DEVICES!Ehm. No, I'm not pissed. Why do you ask?
That said, Android seems to be able to connect to headset while it's connected to a Linux machine as well, so I guess it's doable. Though it does seem to connect to HFP only, A2DP seems to be a "one device only" thing, so it might be that other protocols have that limitation as well.
What I meant to say with this ramble: it's questionable BT would help with multiple connections problem as well. So you'd likely get people bitching either way.
-
@dkf said in Do you own a Mitsubishi Outlander?:
@Adynathos said in Do you own a Mitsubishi Outlander?:
I wonder how the design process works...
I'm guessing it involves “mushrooms”.
Would that be '"keep 'em in the dark and feed 'em horse shit" while management specs the project' mushrooms, or psychedelic mushrooms?
-
@Onyx Yeah, ok, there might be a problem with multiple connections the other way around. I'm more limited by the fact that my mobile phone can only connect to one wifi network at any time, than multiple devices trying to talk to my headphones. Though, the latter some devices (headphones etc) seem to pull off, whereas the former ... meh.
(Ok, I did some googling, it may be possible with Wifi-Direct which apparently is supported on newer Android devices? If so, I withdraw my objection, please feel free to considering putting APs into everything.)
-
@HardwareGeek said in Do you own a Mitsubishi Outlander?:
Would that be '"keep 'em in the dark and feed 'em horse shit" while management specs the project' mushrooms, or psychedelic mushrooms?
-
@Onyx said in Do you own a Mitsubishi Outlander?:
ESPECIALLY WHEN WINDOWS FUCKING 10 STILL DOESN'T HAVE A FUCKING CONNECT BUTTON FOR BLUETOOTH DEVICES!
It scans continuously for devices when BT's on. You click on a listed device to connect to it. Been that way since at least XP.
-
@dkf said in Do you own a Mitsubishi Outlander?:
@HardwareGeek said in Do you own a Mitsubishi Outlander?:
Would that be '"keep 'em in the dark and feed 'em horse shit" while management specs the project' mushrooms, or psychedelic mushrooms?
You do realize that I anticipated that response with my
<abbr title="not exclusive or">
, right?
-
@FrostCat said in Do you own a Mitsubishi Outlander?:
You click on a listed device to connect to it.
You click on it to pair with the device if not already, yes. What happens if it's already paired? I'll tell you what: big fat nothing.
Now, if Windows was the last thing I connected my BT headset on, the headset will connect to it properly, because it's looking for the last device it was connected to. Otherwise, you're fscked, you have to unpair the device and repeat the pairing procedure. On Linux and Android there's
Connect
that will work every single time. But Windows 10? Nope. Unless there's some hidden button here I don't see:Clicking that just produces a fancy effect that does jack shit.
-
Your title scared me, I do own one of these. Thankfully it is not affected by this because it was made years before any of these remote access features became commonplace. It does have an after market starter system which is probably vulnerable to some sort of attack, but nothing like this insanity.
I have no use for WiFi in my car and I can't imagine why anyone else would. This past weekend I was up a mountain with no cell service. How would the car's GSM antenna have performed any better in that scenario?
-
@aapis said in Do you own a Mitsubishi Outlander?:
How would the car's GSM antenna have performed any better in that scenario?
Theoretically, it's a better antenna (doesn't have to conform to a cell phone form factor). Also some limiting factors, such as tx power, can be removed if you're running from a vehicle.
That's not necessarily the case, and it may well be just as bad, but it's possible to have better reception from a vehicle like that
-
@Onyx said in Do you own a Mitsubishi Outlander?:
What happens if it's already paired? I'll tell you what: big fat nothing.
The only thing I've done recently is transfer pictures, where I have to click the "receive files" thing if I want to do that. But since the phone was already paired (after the first time I did it), I didn't have to do anything else.
-
@Onyx said in Do you own a Mitsubishi Outlander?:
Clicking that just produces a fancy effect that does jack shit.
Without a BT headset I can't try this. I'd've thought it would just start working if you played a sound.
-
@all_users said in Do you own a Mitsubishi Outlander?:
Instead of a GSM module, there is a Wi-Fi access point on the vehicle. In order to connect to the car functions, we have to disconnect from any other Wi-Fi networks and explicitly connect to the car AP
Wifi is not designed for P2P communication. Having to disconnect from the internet and connect to a virtual AP is not acceptable.
It's stupid, yes, but it's how it's designed. Go bitch to the Wi-Fi Alliance. You're a company so they will listen.
Edit: I'd like to remind people that the Wi-Fi Alliance are the geniuses that invented a bunch of easier and better ways to pair devices, but half-assed the implementation so badly that they are trivial to brute-force, so devices had to drop support for them.
-
@anonymous234 said in Do you own a Mitsubishi Outlander?:
In order to connect to the car functions, we have to disconnect from any other Wi-Fi
If you are using a car, it seems probably you are not sitting at home near your AP, but travelling or about to do it.
If you need this feature, then most probably you are looking for the car near a supermarket.
So its not such a problem that you can't connect to another AP at that time.
-
@Adynathos It's still an awkward interface. Plus I suspect Android will continuously try to disconnect from it and connect to any other APs it finds nearby.
-
@Onyx said in Do you own a Mitsubishi Outlander?:
Otherwise, you're fscked, you have to unpair the device and repeat the pairing procedure.
Here's a secret:
- In that screen: More Bluetooth options -> show Bluetooth icon in notification area
- Right click bluetooth icon in notification area -> join personal area network -> good old fashioned bluetooth device list pops up.
-
@anonymous234 said in Do you own a Mitsubishi Outlander?:
Here's a secret
Shit, I knew there used to be a way to do that but forgot because for years I had no computer with BT.
-
@anonymous234 said in Do you own a Mitsubishi Outlander?:
It's still an awkward interface.
Probably a feature you don't use very often. After all, cars are still easiest to operate from inside.
Maybe its for the rare events when you don't know where the car is or forget to check if its closed.
-
@HardwareGeek said in Do you own a Mitsubishi Outlander?:
You do realize that I anticipated that response with my
<abbr title="not exclusive or">
, right?Of course, but it was the perfect opportunity to use that meme anyway.
-
@aapis said in Do you own a Mitsubishi Outlander?:
Thankfully it is not affected by this because it was made years before any of these remote access features became commonplace
I felt the same when there was a story about "every Chrysler from 2012 to now is hackable". Except mine it seems because the smartest thing about it is that it doesn't have any smart features
-
@anonymous234 said in Do you own a Mitsubishi Outlander?:
@all_users said in Do you own a Mitsubishi Outlander?:
Instead of a GSM module, there is a Wi-Fi access point on the vehicle. In order to connect to the car functions, we have to disconnect from any other Wi-Fi networks and explicitly connect to the car AP
Wifi is not designed for P2P communication. Having to disconnect from the internet and connect to a virtual AP is not acceptable.
It's stupid, yes, but it's how it's designed. Go bitch to the Wi-Fi Alliance. You're a company so they will listen.
Edit: I'd like to remind people that the Wi-Fi Alliance are the geniuses that invented a bunch of easier and better ways to pair devices, but half-assed the implementation so badly that they are trivial to brute-force, so devices had to drop support for them.
WTF
WTF
WTF
WTFSince the last digit is a checksum of the previous digits,[13] there are seven unknown digits in each PIN, yielding 107 = 10,000,000 possible combinations.
When an enrollee attempts to gain access using a PIN, the registrar reports the validity of the first and second halves of the PIN separately.WTF
WHY THO
WTF.
-
@sloosecannon The only possible explanation is that no one actually read the standard, they just assumed someone else had.
-
@anonymous234 it's like they said "what's the crappiest authentication method?", took that, then said "How can we make it weaker?"
PINs are by definition weak - they have a much smaller keyspace and usually are significantly shorter.
Then you go and shorten your keyspace more with a check number (WHY DO YOU NEED THAT?).
Then you go and make it worse by splitting it in half and reporting them separately! Why. Would. You. Do. That!?!?
-
No I don't
-
@sloosecannon said in Do you own a Mitsubishi Outlander?:
Why. Would. You. Do. That!?!?
Well at least they're not writing the key to NFC tags so you can just "bump" your phone and connect to the car. :troll--- Wait a minute!
-
@cvi said in Do you own a Mitsubishi Outlander?:
Also, what exactly is wrong with bluetooth for this application?
iPhone
-
Just buy or rent a second hand land-rover .. I am begging you.
-
@sloosecannon said in Do you own a Mitsubishi Outlander?:
@anonymous234 it's like they said "what's the crappiest authentication method?", took that, then said "How can we make it weaker?"
PINs are by definition weak - they have a much smaller keyspace and usually are significantly shorter.
Then you go and shorten your keyspace more with a check number (WHY DO YOU NEED THAT?).
Then you go and make it worse by splitting it in half and reporting them separately! Why. Would. You. Do. That!?!?
So they basically reinvented LanMan
-
@kt_ ? (I.e., what exactly is the problem with iphones and bluetooth? I don't own any idevices...)
-
@cvi said in Do you own a Mitsubishi Outlander?:
@kt_ ? (I.e., what exactly is the problem with iphones and bluetooth? I don't own any idevices...)
In order to be able to use BT as God intended you need to jailbreak your device and buy a $10 app, AFAIK (I might be wrong as to the price). Otherwise, it's used to allow AirDrop to work, but you can't connect to just any device.
On the other hand, now that I think of it, connecting to a car headset works, what's impossible to do is just sending file between unauthorized devices, so I guess my point was a moo one. iDevices could work with this.
-
@sloosecannon The worst thing is, the PIN method is flawed to begin with. Because the PIN is built into the device and can't be changed, if it leaks you're just screwed.
-
@anonymous234 Will it be better if it's TOTP token generated with PIN?
-
@cheong It makes it harder for the PIN to leak, but if it leaks the point still stands.
-
One of my coworkers owns a 90s Mitsubishi Eclipse.