Hacking the Mitsubishi Outlander PHEV hybrid
pentestpartners.com> So, we involved the BBC who helped us get their attention. Mitsubishi have since been very responsive to us! They are taking the issue very seriously at the highest levels.
So Mitsubishi apparently has no business process for reporting security issues but they are aware that security is important!
DISCLAIMER: I work for GM.
I was shocked to read that GM was the second major (first if you don't count Tesla as major) automaker to set up a responsible disclosure program. [1]
1. http://arstechnica.com/security/2016/01/gm-embraces-white-ha...
Except that GM pays zero dollars for their bug bounties, unlike Tesla:
Can you find me Toyota's bug bounty or responsible disclosure page? BMW? Mercedes? Ford? Any other major OEM?
I know that GM has done many bad things and done many things badly in the past, but it does seem that an old dog can learn new tricks.
Bounties not involving any compensation are indeed a kind of new trick.
Other than the PSK being too short, this isn't nearly as unreasonable an idea as the author makes it sound like. Honestly, do you really think a 24x7 internet connected car running all of it's remote access off a web service is going to be MORE secure than something that can only be accessed locally (+-100 yards) with a unique key? Give me a break...
Besides, it seems like a rather simple solution would be to simply allow owners to change the PSK for the AP in the car.
Here, false alarms from cars are so common most people have grown to just ignore them.
No need to disable the alarm; it is already largely useless for its intended purpose. :/
I think thieves don't want to take unneeded risks. Otherwise, no protection would make any sense and we could as well just leave the doors open. Even if 9 out of 10 times the alarm going off wouldn't be noticed, the remaining chance could still discourage some thieves and make them run away.
Actually that has happened once to my parents' car. The alarm saved the wheels. Thieves wanted to steal the wheels (not the whole car) and they managed to unscrew 3 of them when they accidentally activated the alarm and ran away. Funny, they left their car jack behind.
Anyway, it is a pity they didn't analyze the security level of the OBD2 interface and other systems connected to the ECU or CAN bus. I saw a few youtube videos of thieves stealing cars in a way they enter into a car and in a few minutes they just switch the engine on and drive away. From the outside, it really doesn't look suspicious - probably most people seeing this would not notice the car was being stolen. This shouldn't be that easy - there's certainly something wrong with the design of the factory anti-theft systems.
That's the difference between professional and amateur thieves. Professionals don't give a crap about the alarm because they would have all of the wheels off and gone before anybody could respond anyway.
"they would have all of the wheels off and gone before anybody could respond anyway."
I wouldn't be so sure about it. I heard stories (directly from friends, not only from the Internet) about thieves being stopped by a custom / non-standard / less known protection installed in a car. A thing that the thief does not know in advance and has to first figure out how to crack it. If the alarm goes off, it gives less time to crack the other security systems.
It's partly a bad UX choice by the automakers - as a user, the driver wants to lock their car when they get out. But the car will only let them do that if they arm the alarm with the same action, on 90% of all cars made in the last decade.
I see no problem with that. There's no scenario I can think of where I want the car locked but don't want the alarm engaged.
Part of the problem is just plain oversensitivity (alarms being set off by passing trucks and such), and part of it is bad design. For example, my alarm will go off if you close the trunk. That's completely nonsensical: when the car is secure, the truck will already be closed, and opening it would be the appropriate trigger. But it does mean that I occasionally set it off in my garage because I left the trunk open, locked the car, then came back and closed it.
FWIW there are times when you want to secure the car but have a mobile participant inside the car (and the car has interior sensors that detect movement). Pets and small children come to mind. There are cases (such as filling up at a petrol/gas station) where you want to secure them temporarily in the vehicle while paying but don't want movement setting it off.
4 letters + 6 digits PSK, roughly 39 bits of entropy, about 730 hours to exhaust the search space on a single GTX 970/R9 290X.
EDIT: I'm surprised it costs 1,000 GBP to cloud-hack a PSK of this length, considering there are lots of GPUs mining cryptocurrencies at about $0.15 an hour.
Per hour, the cloud is way more expensive than owning your own hardware.
I need to get in on this business :P
> Whilst we haven’t looked in detail at this, you may recall from a hack of some BMW vehicles which suggested that the OBD port could be used to code new keys for the car.
AFAIK, at least officially licensed BMW dealerships can do this, and the VW software (VAG COM) for car shops has leaked countless times.
As soon as you have access to the OBD port, all you need is either cracked dealer software or some low-paid dude with an interest in earning side money and keys to the dealership. Or, if you want to avoid people calling the cops on you, buy/steal a tow truck with a lift. No one will call the cops if they hear a thief alarm and a tow truck with flashing yellow lights - people will assume either the legit owner has a breakdown or, to up the game if you have another (stolen) car with blue lights, the cops are towing the vehicle.
So i first have to sit hours and wait until someone that has their phone setup to connect to that wifi comes along so i can sniff the hashed keys. I start cracking the password, and after a few hours goes by i can finally get in to the car and somehow use a security bug that is accessible from the odb port to add a new key. Then drive of.
The hole thing is kind of meh.
Driving away in someone's car isn't always why someone might want to break into it. Someone with enough technical knowledge combined with a mental state compelling them to obsess over a victim could be a scenario where this is an issue.
Welcome to the glorious Internet of Things where security is an afterthought (or barely thought about).
This model isn't internet-connected at all.