PHEV alarm can be switched off using hacked wifi [merged]

Mitsubishi Outlander PHEV Forum

Help Support Mitsubishi Outlander PHEV Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
Have to say that having read through all this stuff, my view remains that life's too short to get worked up about this or worry about it. I'm far more worried about some random idiot deciding to key the side of my car, or throw acid over it, than I am about some computer wizard going to all this hassle and trouble to disable the alarm on my car. If they really want to get into it then just smash a window and carry on while everyone else in the neighbourhood ignores the alarm and curses the owner for having a car in which the alarm keeps going off accidentally.

Even if the by the remotest possibility the car did get stolen then that's what I've got insurance for, right ?

Appreciate there is a theoretical technical gap here that has been proven by some IT nerd, but there are far more practical, real life things to worry about than this.
 
greendwarf said:
This is presumably a problem those of us down here in steerage with our Gx3s don't have. :D
Click to expand...

The locking wheel nuts will see you straight sir! - as long as you cloak their IP address...

I have just been out and covered my PHEV in tin foil (doubling the bodywork thickness :p ) connected to an earthed stake, well watered. I have tweaked an old CB radio set to bleed radio waves all over and its jamming everything for miles, finally I built a low brick wall around on all 4 sides, hack that then!
 
neergh said:
For the past 4 days there has been a van parked outside my house, do I need to worry? :D
Click to expand...

Only if it looks like this...

truck1_front.jpg
 
Car Fuse Puller Tool, Car Fuse Puller Extraction Tool, Plastic Car Fuses Remover, Fuses Maintenance Accessories for Car Automotive Boat Mini Standard Blade Fuse (6PCS)
-50%
$2.49 $4.99
Car Fuse Puller Tool, Car Fuse Puller Extraction Tool, Plastic Car Fuses Remover, Fuses Maintenance Accessories for Car Automotive Boat Mini Standard Blade Fuse (6PCS) Smilfuy
HAFIDI Floor Mats & Cargo Liner for Mitsubishi Outlander 2022-2024 (Not Fit PHEV or Sport Models) Custom Fit Full Set, All Weather Car Accessories (Rear Trunk Mat +Floor Mats)
$158.00
HAFIDI Floor Mats & Cargo Liner for Mitsubishi Outlander 2022-2024 (Not Fit PHEV or Sport Models) Custom Fit Full Set, All Weather Car Accessories (Rear Trunk Mat +Floor Mats) Dianyue
AZYT Floor Mats & Cargo Liner for Mitsubishi Outlander 2024 2023 2022 (Not for PHEV or Sport Models) All Weather Automotive TPE Liners Set Anti-Slip Waterproof Floor Liners Accessories
$155.99
AZYT Floor Mats & Cargo Liner for Mitsubishi Outlander 2024 2023 2022 (Not for PHEV or Sport Models) All Weather Automotive TPE Liners Set Anti-Slip Waterproof Floor Liners Accessories AZYT-US
Imperial Tool 535C Kwik Charge Liquid Low Side Charger
-24%
$34.13 ($34.13 / count) $45.00 ($45.00 / count)
Imperial Tool 535C Kwik Charge Liquid Low Side Charger SepulvedaBlvd
Vinyl Wall Decal Electric Car Electrical Charging Station Vehicle Stickers Mural Large Decor (ig5368)
$21.99
Vinyl Wall Decal Electric Car Electrical Charging Station Vehicle Stickers Mural Large Decor (ig5368) WALLSTICKERS4EVER
Electric E-car Charging Station Electric Vehicle Drive CCS Combo 2 Supercharge eCars EV Electric Car Throw Pillow, 16x16, Multicolor
$24.99
Electric E-car Charging Station Electric Vehicle Drive CCS Combo 2 Supercharge eCars EV Electric Car Throw Pillow, 16x16, Multicolor Amazon.com
ESEWALAS 3Pcs Car Wax Applicator Pad,Microfiber Applicator Pad,Car Accessories Applicator Pads with Finger Pocket,4.95" Diameter Foam Applicator Pad for Car Truck Motorcycle Cleaning
$5.99 ($2.00 / Count)
ESEWALAS 3Pcs Car Wax Applicator Pad,Microfiber Applicator Pad,Car Accessories Applicator Pads with Finger Pocket,4.95" Diameter Foam Applicator Pad for Car Truck Motorcycle Cleaning Yvehicle
AIPOIL® Floor Mats & Cargo Liner Custom for 2022-2024 Mitsubishi Outlander PHEV (Not for Sport Models) 丨TPE All Weather Protection Anti-Slip Automotive Floor Liners丨Full Set Accessories, Black.
$119.00
AIPOIL® Floor Mats & Cargo Liner Custom for 2022-2024 Mitsubishi Outlander PHEV (Not for Sport Models) 丨TPE All Weather Protection Anti-Slip Automotive Floor Liners丨Full Set Accessories, Black. Yamaxuan
icykale 2 PCS Car Polishing Pad Cleaning Tool, 7.9" x 4.1" Cleaning Brush + 6.3" x 3.1" Polisher Composite Pad Wheel Cutter, Multi-function Portable Accessory, Compatible with Most Cars (Red)
$13.63
icykale 2 PCS Car Polishing Pad Cleaning Tool, 7.9" x 4.1" Cleaning Brush + 6.3" x 3.1" Polisher Composite Pad Wheel Cutter, Multi-function Portable Accessory, Compatible with Most Cars (Red) icykale-Auto-US
I Brake For Charging Stations, Electric Vehicle Owner Stainless Steel Insulated Tumbler
$20.99
I Brake For Charging Stations, Electric Vehicle Owner Stainless Steel Insulated Tumbler Amazon.com
HAFIDI Floor Mats & Cargo Liner for Mitsubishi Outlander PHEV 2023-2024 Custom Fit Full Set, All Weather Car Accessories
-5%
$113.51 $119.99
HAFIDI Floor Mats & Cargo Liner for Mitsubishi Outlander PHEV 2023-2024 Custom Fit Full Set, All Weather Car Accessories Dianyue
Kutyun Car Soldering Pliers, Electrical Disconnect Pliers, Wire Clamp Tool with Swivel Flat Band, Multi-Function Wire Welding Clamp, Pick‑Up Aid Plier Hand Tools Fits for Auto Maintenance Repairing
$7.99
Kutyun Car Soldering Pliers, Electrical Disconnect Pliers, Wire Clamp Tool with Swivel Flat Band, Multi-Function Wire Welding Clamp, Pick‑Up Aid Plier Hand Tools Fits for Auto Maintenance Repairing Kutyun
Auxko All Weather Floor Mats Fit for Mitsubishi Outlander 2022 2023 2024(Not phev or Sport) TPE Rubber Liners Outlander Accessories All Season Guard Odorless Anti-Slip Floor Mats 3 Row
-25%
$79.99 $106.29
Auxko All Weather Floor Mats Fit for Mitsubishi Outlander 2022 2023 2024(Not phev or Sport) TPE Rubber Liners Outlander Accessories All Season Guard Odorless Anti-Slip Floor Mats 3 Row Auxko
Binmotor-Floor Mats Cargo Liner Set 2023 2024 Mitsubishi Outlander PHEV(Not for Gas Models) 丨1st & 2nd Row & Rear Cargo Mat, All Weather Mats Outlander PHEV(Plug-in Hybrid Vehicle) Accessories
$135.00
Binmotor-Floor Mats Cargo Liner Set 2023 2024 Mitsubishi Outlander PHEV(Not for Gas Models) 丨1st & 2nd Row & Rear Cargo Mat, All Weather Mats Outlander PHEV(Plug-in Hybrid Vehicle) Accessories Binmotuo
Nilight TPE Floor Mats for Mitsubishi Outlander PHEV 2023 2024,All Weather Custom Fit Heavy Duty Floor Liners
-20%
$80.18 $99.99
Nilight TPE Floor Mats for Mitsubishi Outlander PHEV 2023 2024,All Weather Custom Fit Heavy Duty Floor Liners Amazon.com
xipoqix Cargo Liner Floor Mat Compatible with 22-24 Mitsubishi Outlander 7 Seat Back Seat Protector Cargo Mat Replacement for 22-24 Mitsubishi Outlander Accessories (Cargo Mat+Backrest Mat+Floor Mat)
$209.99
xipoqix Cargo Liner Floor Mat Compatible with 22-24 Mitsubishi Outlander 7 Seat Back Seat Protector Cargo Mat Replacement for 22-24 Mitsubishi Outlander Accessories (Cargo Mat+Backrest Mat+Floor Mat) xipoqix
I Brake For Charging Stations, Electric Vehicle Owner Stainless Steel Insulated Tumbler
$20.99
I Brake For Charging Stations, Electric Vehicle Owner Stainless Steel Insulated Tumbler Amazon.com
Reserved Parking EV Electrical Vehicle Only Charging Station Aluminum Metal 8"x12" Sign Plate
$10.39
Reserved Parking EV Electrical Vehicle Only Charging Station Aluminum Metal 8"x12" Sign Plate DYTRQW
SIGNCHAT Electric Vehicle Charging Station Ev Reserved Spot Notice Metal Poster Wall Art Decor Tin Sign 8X12 Inches
$9.85
SIGNCHAT Electric Vehicle Charging Station Ev Reserved Spot Notice Metal Poster Wall Art Decor Tin Sign 8X12 Inches DUFANGQIMAIYIFU
Augeny 2PCS Tire Dressing Applicator, Reusable Car Tire Shine Sponge Applicator Pad with Lid, Durable Foam Auto Wheel Detailing Applicator for Vehicle Waxing Polishing Cleaning (Yellow)
$6.29 ($3.14 / Count)
Augeny 2PCS Tire Dressing Applicator, Reusable Car Tire Shine Sponge Applicator Pad with Lid, Durable Foam Auto Wheel Detailing Applicator for Vehicle Waxing Polishing Cleaning (Yellow) Augeny
Dickno Tire Dressing Applicator, Car Tire Shine Dressing Applicator Pad with Lid, Auto Tire Wheel Waxing Polishing Sponge, Universal Wheel Shine Tool Accessories for Most Vehicles (Blue, Normal)
$4.49
Dickno Tire Dressing Applicator, Car Tire Shine Dressing Applicator Pad with Lid, Auto Tire Wheel Waxing Polishing Sponge, Universal Wheel Shine Tool Accessories for Most Vehicles (Blue, Normal) Dickno
Powerty Cargo Mat Custom Fit for Mitsubishi Outlander 2022-2024 Accessories Cargo Liner Behind 2nd Row Rear Trunk Mat (Not for PHEV or Sport Models)
-6%
$59.99 $63.99
Powerty Cargo Mat Custom Fit for Mitsubishi Outlander 2022-2024 Accessories Cargo Liner Behind 2nd Row Rear Trunk Mat (Not for PHEV or Sport Models) Powerty-US
Sylvil 5 PCS Tire Contour Dressing Applicator Pads, Car Polishing Sponge Wax Buffing Pads, Automotive Tire Dressing Shine Sponge for Car Glass, Painted Steel, Porcelain and More (Normal)
-13%
$3.49 ($0.70 / Count) $3.99 ($0.80 / Count)
Sylvil 5 PCS Tire Contour Dressing Applicator Pads, Car Polishing Sponge Wax Buffing Pads, Automotive Tire Dressing Shine Sponge for Car Glass, Painted Steel, Porcelain and More (Normal) Sylvil
icykale 5 PCS Car Felt Polishing Pad, 3" x 0.2" High Density Glass Polishing Tool for Repair Scratches Spot, Multi-Function Maintenance Accessory for Windshield Table, Universal for Cars Home (White)
$5.99
icykale 5 PCS Car Felt Polishing Pad, 3" x 0.2" High Density Glass Polishing Tool for Repair Scratches Spot, Multi-Function Maintenance Accessory for Windshield Table, Universal for Cars Home (White) icykale-Auto-US
Ziciner 4 PCS Wool Polishing Buffing Pad, Polishing Buffing Wheel for Drill Buffer Attached with M14 Drill Adapter, Universal Accessories for Car Motorcycle Refrigerator Furniture Glass (6 Inch)
-11%
$8.89 $9.99
Ziciner 4 PCS Wool Polishing Buffing Pad, Polishing Buffing Wheel for Drill Buffer Attached with M14 Drill Adapter, Universal Accessories for Car Motorcycle Refrigerator Furniture Glass (6 Inch) Ziciner
5/8"-11 Thread Angle Grinder Extension Shaft for Car Polisher,Angle Grinder Attachments Expand Connection of Buffering Pads and Angle Grinder,Universal Angle Grinder Extension
$6.77
5/8"-11 Thread Angle Grinder Extension Shaft for Car Polisher,Angle Grinder Attachments Expand Connection of Buffering Pads and Angle Grinder,Universal Angle Grinder Extension Jane Alexandre Dumas fils
Electric E-car Charging Station Electric Vehicle Supercharge-For E Driver EV Electric Car Throw Pillow, 16x16, Multicolor
$19.99
Electric E-car Charging Station Electric Vehicle Supercharge-For E Driver EV Electric Car Throw Pillow, 16x16, Multicolor Amazon.com
crysss Reserved Parking EV Electrical Vehicle Only Charging Station Aluminum Metal 8x12 inch Sign Plate
$10.90
crysss Reserved Parking EV Electrical Vehicle Only Charging Station Aluminum Metal 8x12 inch Sign Plate putianshilichengquzelibaihuoshanghang
ESEWALAS 12v USB Outlet, Quick Charge 3.0 Dual USB and PD USB C Socket Power Outlet with On Off Switch,12 Volt USB Charger Socket,Waterproof 12V/24V Fast Charge USB Port
$14.99 ($5.00 / Count)
ESEWALAS 12v USB Outlet, Quick Charge 3.0 Dual USB and PD USB C Socket Power Outlet with On Off Switch,12 Volt USB Charger Socket,Waterproof 12V/24V Fast Charge USB Port Yvehicle
Electric E-car Charging Station Electric Vehicle Drive CCS Combo 2 Supercharge eCars EV Electric Car Throw Pillow, 16x16, Multicolor
$24.99
Electric E-car Charging Station Electric Vehicle Drive CCS Combo 2 Supercharge eCars EV Electric Car Throw Pillow, 16x16, Multicolor Amazon.com
KUST All Weather Floor Mats for 2011-2021 Mitsubishi Outlander Accessories (Not fit for Outlander Sport or PHEV Models) Custom Fit Floor Liners 1st & 2nd Row Car Mats Black Non-Slip
$88.88
KUST All Weather Floor Mats for 2011-2021 Mitsubishi Outlander Accessories (Not fit for Outlander Sport or PHEV Models) Custom Fit Floor Liners 1st & 2nd Row Car Mats Black Non-Slip KUST JAPAN
Going to leave my alarm off tonight just to catch the villains out. They'll spend their time hacking my alarm to turn it off when it's off already...take that dastardly wifi hackers!
 
Apparently, the factory alarm does exist in the Dutch models, but it is disbled. The biggest concern now is that bad guys may turn it on accidentally or purposely, leaving us with an active alarm that we cannot turn off :lol:
 
I've just returned from my annual pilgrimage to the Information Security show at (Kensington) Olympia. Pen Test Partners (the ones who discovered the problem) were there using Outlanders (they had two, one outside and one on their stand) to promote their business - they're well regarded in the industry and have some good people. I had a chance to talk with their sales bods and also their tech experts.

So, the fundamental problem is that the password for the WiFi (the one that's printed inside the owner's manual) isn't long enough to withstand a 'brute force' attack (i.e. using a computer to try every possible combination). A fast PC will take a couple of days to crack it, and they say they're building a specialist rig that will reduce that time substantially - if you're prepared to pay for a few thousand pounds of 'cloud' resources from Amazon, it could be cracked in a few minutes. You can then use WiFi from a laptop to do anything the phone app can do, including turning off the alarm. Their argument was that you could then put it onto a low loader without the alarm sounding - I guess we all know that it wouldn't be quite as simple as that without a key to unlock the parking brake, but I'm not trying to argue that there isn't a real problem that Mitsubishi should be concerned about.

The good news (for us owners) is that they're now working with Mitsubishi on a fix and they say they've been down there to test the revised software and pronounced it 'very good' - when we're likely to see it (presumably as an update to the app) I don't know. They're also looking at and talking to other manufacturers and I don't think Mitsubishi are the 'worst' (most concerning) example they've found.
 
I was going to visit the security show at Olympia, but someone has gone on holiday, so instead I'm doing phone support.
During the day, I saw bits of the video so many times on BBC news 24, but I didn't link the timing of this to the timing of the show.

I guess lots of their potential customers would be the sort of people who would qualify for a PHEV as a company car, and I guess PTP will now be remember much more than the stand with the pretty girlie giving out nicer carrier bags with leaflets in.


Some people call me an "I.T. nerd" others are not so polite.
so I've downloaded a Linux distribution that has a load of hacking and penetration testing software on, just so I can see if I can hack into my car, and see what, if anything else can be done.
I'm not going to be spending thousands of pounds on cloud cracking stuff, so I'm just going to use a spare i5 laptop that I was going to give to one of my children.

The wording of the PTP video, and the BBC one, and the one on the daily mail and transport evolved make it sound so easy.
If I can't break in after a month, or the new version comes out, then I recon it's not as bad as they make it sound.

I wonder how long until there is an update from Mitsubishi?
Perhaps we could get them to fix a few other things at the same time?
Like when you set the timer to pre-heat in the morning, and it is still plugged in, then top the battery back up if you are still inside the timing window instead of using the battery and starting the day with a couple of miles missing!
 
jaapv said:
The last bit is battery protection. Topping up when it is nearly fully charged will impact battery life.
Click to expand...

Why do you think that is so?

I ask the question after many years of watching the charging characteristics of chargers used for admittedly much smaller battery packs for model aircraft but I believe the algorithms used much be pretty much the same irrespective of the size of the packs.

I would be surprised if any charge (other than the 80% capacity limited fast charge) is not a 'balanced' charge....that is the charging circuitry ensures that at the end of the charge all of the cells in the pack have the same or vey similar voltage.

in order to achieve this, when the charger is first connected and activate (by whatever means) it first analyses the battery pack condition including that of all the individual cells.

Charging will then progress according the findings from the previous exercise and if the entire pack is already (say) 80% full then charging will progress at a reduced rate compared with a pack that is 'empty' whilst the charging circuitry ensures that all of the cells in the pack arrive at roughly the same voltage when the pack is deemed to be fully charged.

I see from simply observing the behaviour of model charges that topping up, after initial analysis of the battery condition by the charger, results in very low charge rates when the battery pack is only partially discharged.

If the Outlander PHEV charging regime is less sophisticated than that of model vehicles I would be surprised and very disappointed.

I don't see what the problem is.

JimB
 
jaapv said:
The last bit is battery protection. Topping up when it is nearly fully charged will impact battery life.
Click to expand...
Don't you think battery life is equally impacted when you top it up from a much lower SOC? I am familiar with the recommendation to not top it up when it is near full, but I have always believed it is a matter of "weighing the pros and cons": do you really want to hit it again, even when you are not going to gain much SOC?

Apart from that, it does top up the battery after pre heating. As long as you are not using the timer. I can hardly imagine they purposely choose to only protect the battery against top up damage only when the charge timer is on.
 
Maybe this is a bit besides the point, but what I do not understand is how one can speed up the cracking process by hiring computing power in the cloud.

I would think that the challenge is not so much with generating codes to try out (as unlike bank account numbers, any code that you can think of is valid) but with testing the codes you have generated. And for this, you need a WiFi radio in reach of the AP you want to crack and the AP itself .... So, the bottleneck is IMHO not the code generation process, but the Wifi radios and the AP itself. What am I missing?
 
anko said:
Maybe this is a bit besides the point, but what I do not understand is how one can speed up the cracking process by hiring computing power in the cloud.

I would think that the challenge is not so much with generating codes to try out (as unlike bank account numbers, any code that you can think of is valid) but with testing the codes you have generated. And for this, you need a WiFi radio in reach of the AP you want to crack and the AP itself .... So, the bottleneck is IMHO not the code generation process, but the Wifi radios and the AP itself. What am I missing?
Click to expand...

As far as I am aware first the phone talking to the car is recorded via a sniffer. The cloud or whatever computing you wish to use then runs analysis to reverse engineer the passkey used for the WiFi. As the phone may connect arbitrary as soon as you enter the vehicle with the handset in your pocket, the sniffer can grab the info right then,

The reverse engineering can be done for pennies/free and practically instantly depending on the source of the computing power and how legitimately the computing was procured.

I would be very surprised if the car couldn't be unlocked and driven away via the appropriate WiFi command.
 
Okay, I think I get it. They grap the encrypted key sent by the phone and use brute force to find which (unencrypted) key generates that particular encrypted key. So, they don't need the AP to validate the generated key. Is that it?

But in that case, they first need to listen in on the traffic between the app and the car for every next car they want to hack. Right? I thought they were trying keys against the AP directly.

Also, I thought they listened in on the traffic, only to learn the protocol and command set.
 
anko said:
Okay, I think I get it. They grap the encrypted key sent by the phone and use brute force to find which (unencrypted) key generates that particular encrypted key. So, they don't need the AP to validate the generated key. Is that it?

But in that case, they first need to listen in on the traffic between the app and the car for every next car they want to hack. Right? I thought they were trying keys against the AP directly.

Also, I thought they listened in on the traffic, only to learn the protocol and command set.
Click to expand...
Yes, as I understand it.

Hopefully the WIFI keys are different :lol: so yes a different key for each car.

You could easily automate the whole thing, grab key, send off to cracking computer, have the response and key back in a few seconds.

Thinking further you could potentially take control of the vehicle whilst it's being driven, accelerate, brake, reduce power assistance to the steering, shut off the car etc.

Yeah I'm leaving my WIFI off till they fix the issue.
 
SolarBoy said:
Thinking further you could potentially take control of the vehicle whilst it's being driven, accelerate, brake, reduce power assistance to the steering, shut off the car etc.
Click to expand...
Have you looked at the electronics architecture of the car? The Wifi module is not connected to the CANBUS, but to the REMOTE ECU (which in turn is connected to the CANBUS). Chances are the WiFi module only allows you to do things that the REMOTE ECU was designed to do and nothing more. For the time being, and as far as we know, nobody has been able to do more than just that. Unless it was explicitly programmed to pass on CANBUS traffic, the REMOTE ECU would be a natural firewall.
 
Good question, the precedent was set by Jeep, https://blog.kaspersky.com/blackhat-jeep-cherokee-hack-explained/9493/

The 'air gap' between the wireless connection and the rest of the car was bypassed.

Sure it took the folks that found the Jeep issue ages to work it out, Mitsubishi have made it easier via the App which according to the chap on this forum has a ton of function available not implemented by the App's UI, so dead easy for an App developer to knock something up in a few days.
 

Share this page

Similar threads

B
Wifi Not Broadcasting & Charging Timer Not Functioning
Replies
5
Views
897
Phev2016
P
B
Wifi Not Broadcasting and the Charging Timer Not Functioning
Replies
0
Views
328
b4surani
B
Woon Chung
Battery life span will not be affected by PHEV mode selection?
Replies
4
Views
1K
Woon Chung
Woon Chung
L
Outlander Phev In-Depth Observations - Mike Mas
2 3 4
Replies
65
Views
15K
michael8554
M
D
Performing a DBCAM (battery calibration) using a ThinkCar OBD scanner, with screenshots (for PHEV up to 2022)
2 3
Replies
44
Views
8K
Daixiwen
D

Latest posts

Back
Top