By hacking into a Mitsubishi Outlander, a British tech firm has added new concerns about automotive cybersecurity. Pen Test Partners was able to use a built-in diagnostics port to gain access to the computer control system on a plug-in hybrid version of the Japanese SUV.
The news comes barely a year after another security firm showed it possible to hack into a Jeep, demonstrating the risk by remotely driving the vehicle into a ditch. That forced Fiat Chrysler Automobiles to order a recall of 1.4 million vehicles to patch a software vulnerability in its vehicles.
Cybersecurity is becoming one of the auto industry’s biggest concerns, warned Mark Rosekind, head of the National Highway Traffic Safety Administration, a concern echoed in a report by the FBI earlier this year that motor vehicles are “increasingly vulnerable” to hackers. The agency warned “appropriate steps” are needed to “minimize risk.”
Among other things, Pen Test Partners was able to access and shut off the mobile alarm system on the new 2017 Mitsubishi Outlander PHEV.
“Once unlocked, there is potential for many more attacks,” read a report on the Pen Test Partners site. “The on-board diagnostics port is accessible once the door is unlocked.”
In the wake of the attack – which was done by the security firm to test the car’s vulnerability – Mitsubishi has issued a warning to owners to disable the Outlander’s onboard WiFi system. It says it is now working to upgrade the car’s firmware.
The issue of cybersecurity was long on the auto industry’s back burner. But it has become a major issue as manufacturers add more and more high-tech features, such as remote start and vehicle locking, infotainment systems and onboard WiFi.
At the debut of the new 2017 Audi A5, for example, Dietmar Voggenreiter, the maker’s board member for sales and marketing, suggested the new sedan “is the future mobile device.”
(FBI warns motor vehicles increasingly vulnerable to hacking. For more, Click Here.)
The real concern comes with the advent of autonomous vehicle technology that could potentially allow a hacker to gain complete control of a car, possibly causing it to run out of control or sending it to an unexpected destination.
Not all automakers have yet embraced the need to step up their cybersecurity efforts, some experts have warned. And in a posting on its website, Pen Test pointed a finger at Mitsubishi, saying it was slow to recognize the potential problem the British tech firm had identified.
“Initial attempts by us to disclose privately to Mitsubishi were greeted with disinterest. We were a bit stumped at this point: As so often happens, the vendor takes no interest and public disclosure becomes an ethical dilemma,” Pen Test’s post said.
The firm said Mitsubishi became “very responsive” once a report on the hacking was reported by the BBC.
One of the challenges for automakers and security firms is finding ways to plug all the potential entry points into a vehicle while letting legitimate traffic get past security gates. Today’s vehicles may have satellite connections, WiFi, cellular links and other entry points that can even include the wireless communications system used to monitor tire pressure.
(Click Here for details about why Nissan had to disable the Leaf’s smartphone app.)
“You’re providing more services and more access,” Saar Dickman, head of Israeli cybersecurity firm TowerSec, which was recently acquired by global tech firm Harman International. “You want to embrace innovation, but you have to understand the risks that come with it.”
In the next few years, several automakers plan to add connected car technologies that will allow vehicles to talk to one another, as well as a highway infrastructure. That will help manage traffic and prevent crashes, but could add another access point for hackers, experts warn.
Another challenge is that it will be harder to use conventional anti-viral systems in a car than with a computer, tablet or smartphone, said TowerSec’s Dickman in an interview with TheDetroitBureau.com.
Automakers are looking to enable the same sort of wireless updates used on more traditional consumer electronics devices. They also are exploring alternative security systems, such as one that would recognize when a vehicle’s operating system was corrupted and default back to the original factory settings.
Mitsubishi is just the latest in a series of automakers forced to update its vehicles to solve a cybersecurity issue. Along with the Jeep recall, BMW and its Mini and Rolls-Royce brands had to recall 2.2 million vehicles in February 2015, and Nissan earlier this year had to disable a smartphone app for its Leaf battery-car when another security firm showed it could be used to access the vehicle.
(Terrorists could use autonomous vehicles as car bombs, expert warns. For more, Click Here.)
Most experts anticipate other automakers will prove vulnerable, as well.