https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/mobile-logo.png
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • Embedded IoT World (Part of DesignCon) 2022
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • Embedded IoT World (Part of DesignCon) 2022
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Metaverse
  • Development
  • Security
ioti.com

Security


iStock / djedzura

Although car hacking is not a widespread problem now, cybersecurity of cars is bound to grow in importance.

5 Things You Can Learn from the Hack of a Mitsubishi Hybrid

Each high-profile hack of a car—whether it be a Jeep, Tesla, Nissan, or Mitsubishi vehicle—teaches us something about the design practices to avoid--and embrace--when developing connected products.
  • Written by Brian Buntz
  • 9th June 2016

The Mitsubishi Outlander plug-in hybrid electric SUV won’t hit the U.S. market until the fall, but already the car is raising eyebrows after a British security expert named Ken Munro of Pen Test Partners managed to take control of many functions of the Outlander PHEV with a computer and a wireless antenna. Mitsubishi is working on a fix to the problem.

One of the main vulnerabilities of the car, reportedly the world's first 4×4 plug-in hybrid SUV, is its use of WiFi to enable users to perform functions like unlocking doors, adjusting the thermostat, and setting a timer for the plug-in charging with a corresponding app. Although a WiFi password is required for this, Munro said that it would be relatively easy to crack as there essentially is no other security between the phone and the WiFi access point. After performing a man-in-the-middle attack, Munro was able to assume control over the air conditioner, as well as the headlights, theft alarm, and other car functions.

According to David Miller, Chief Security Officer of cloud company Covisint (pictured), which was founded by a consortium of carmakers, several things can be learned from this hack. We’ve summarized his thoughts into five basic principles below.

1. Don’t Use WiFi to Control Car Functions

The method by which the phone connects to the vehicle is the biggest architectural vulnerability. Mitsubishi installed a WiFi hotspot in the car just like you would have in your house. When you get close enough to your vehicle, your phone will pair with your vehicle. It's just like when you walk into your house, and it says: ‘Oh, look, WiFi.’ That is inherently insecure. I don’t care if you have a long SSID and password.

I can think of a lot of reasons why using WiFi in this way can cause problems—not all of which have to do with security. For example, say I parked in my driveway or garage. If my car is on, my phone now is competing between whether it connects to the WiFi in the house or car. You can only connect to one. Since my car doesn’t have Internet connectivity, then I can’t go online if I log into the car’s WiFi hotspot. You also could have the opposite scenario: You could be in your house and see your smartphone trying to connect to your vehicle. I also don’t know how it works if somebody brings a WiFi hotspot into the vehicle. This approach has inherent difficulties because it was not the way in which WiFi was designed to be used.

I bet you most people would end up turning this off because it would annoy them.

Just think about it: If your phone is set up to connect automatically and you go into a restaurant with really bad WiFi, the second you walk in you lose your Internet connection. So you turn off your WiFi and get back on 4G because it is faster. That scenario would play out every time you get close to your car.

2. Don’t Give Control of a Car (or Device) to Just Anyone Who Connects to It

Mitsubishi was assuming that the network is secure. This vehicle is a network endpoint, and the assumption was that, if you can get on the network, you must be okay. That is the fundamental flaw. The assumption should always be that the network is completely insecure and can easily be hacked and that you should, therefore, use another method to be get permissions.

In general, security vulnerabilities have less to do with how you connect and more to do with how you authenticate after you connect. In the Mitsubishi example, a security professional was able to control several functions after connecting to the network. But being on the network alone should give you no rights at all. When you connect to the car, you shouldn’t be able to do anything until you have proven who you are.

3. Don’t Make Authentication Too Easy

An easy fix for Mitsubishi would be to require users to go through a process to register their phone and then download some token that determines whether he or she has permission to start the car or perform other actions. After the phone pairs with the car, it could query the phone to say: “If you provide me with this token, the car would be set up to validate it.” At least then, only your phone could hack into it. If someone steals and unlocks your phone, that person could control your car but, on the other hand, they could accomplish the same thing by simply taking your keys.

The technical method of getting permissions can be tokens. It is like the ticket you get to go to the Super Bowl. When I walk up to the stadium, the guy who is behind the turnstile doesn’t recognize me. The fact that I got there doesn’t mean that I should be allowed in. The only thing that gets me in is this piece of paper with a hologram on it. I got that ticket in a whole different but secure way. In the case of computer security, the token is encrypted and signed using security developed to protect banking organizations.

We believe in this issue of a permissions/response model. Wherever an action occurs, you have to go out to a third party cloud service to ask authorization to be able to do something. You go out and say:”‘Is it OK for me to start the car?” And the cloud can authenticate or use your phone’s ID to make sure it is the right device and then hand you an action token that you present to the vehicle.

4. Don’t Panic about Car Hacking 

I think we shouldn’t freak out about the security of connected vehicles. It is not a doomsday scenario. Honestly, if you want to steal my car, I can think of at least 50 ways that are easier than trying to crack the network connection and doing all of the goofy things that I see these security experts do. A hammer is a hell of a lot cheaper than one of these devices that cracks passwords.

If the OEMs wanted to manufacture a vehicle that is 100% safe in a crash, they could, but it might cost $1 million. There is a tradeoff. I don’t think people like hearing about it, but that same tradeoff is made with security.

I guarantee you that the U.S. president’s limousine is not a connected vehicle. I bet you can’t remote start it or unlock it. That is because the president is a special case. Somebody would certainly work very hard to take control of the president’s motorcade. I am not as worried about the average person.

5. But Don’t Write Off Security Either

Just because hacking connected cars is not a widespread problem now doesn’t mean that cybersecurity should be ignored. We have to think about the future of these vehicles. They are going to be out there for years. And we have to be able to understand and talk about what the future of that is.

If you asked me about Internet security 20 years ago, I'd say that it really wasn’t a problem. When the Internet was first coming out, it was standard TCP/IP. It wasn’t built for things like Web banking. But the architecture that was created 20 years ago is the architecture we live with today. Many of the problems we have today on the Internet are because of the fact that the base infrastructure was never designed to be secure. The designers of TCP/IP believed that the Internet would be a connection between trusted endpoints. They thought it was going to be universities that were online. We have bolted things on top like SSL and other things on top of an inherently open network.

We are going to live with the architecture that is being built today in these vehicles for 20 or 30 years. And, in 20 or 30 years, when perhaps we have semi-autonomous vehicles that are driving around where people aren’t having to look at the road and where we transact business through our vehicles, we are going to find problems and find we are going to have to bolt security on top of that, too.

Tags: Article Security Technologies

Related


  • IoT Security Firm to Acquire Medical Security Startup
    Claroty is set to acquire Medigate to grow its foothold in securing the Internet of Medical Things
  • Ransomware Attack Could Impact Paychecks
    The Kronos ransomware attack affected the company’s private cloud service over the weekend, knocking it offline just before the holidays
  • Image shows an abstract digital big data concept.
    BotenaGo Malware Targets Millions of IoT Devices
    AT&T Alien Labs identified the malware that has left millions of IoT devices exposed.
  • IoT Startup Raises $10M
    Platform aims to bolster network security with automated device configurations and visibility.

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • IoT Device Security at the Edge Poses Unique Challenges
  • Zero-Trust Security for IoT: Establishing Rigorous Device Defenses
  • AI Ups the Ante for IoT Cybersecurity
  • Protecting Your Network Against Ripple20 Vulnerabilities

Roundups

View all

IoT Deals, Partnerships Roundup: Google, Arm, Senet and More

26th May 2022

IoT Product Roundup: PTC, Nokia, Arm and More

19th May 2022

IoT Deals, Partnerships Roundup: Intel, Nauto, Helium and more

14th May 2022

White Papers

View all

The Role of Manufacturing Technology in Continuous Improvement Ebook

6th April 2022

IIoT Platform Trends for Manufacturing in 2022

6th April 2022

Latest Videos

View all
Dylan Kennedy of EMQ

Embedded IoT World 2022: Dylan Kennedy of EMQ

Dylan Kennedy, EMQ’s VP of global operations, sat down with Chuck Martin at Embedded IoT World 2022.

Embedded IoT World 2022: Omdia’s Sang Oh Talks Vehicle Chip Shortage

Omdia’s automotive semiconductor analyst sits down with Chuck Martin at this year’s event

E-books

View all

How Remote Access Helps Enterprises Improve IT Service and Employee Satisfaction

12th January 2022

An Integrated Approach to IoT Security

6th November 2020

Webinars

View all

Rethinking the Database in the IoT Era

18th May 2022

Jumpstarting Industrial IoT solutions with an edge data management platform

12th May 2022

AI led Digital Transformation of Manufacturing: Time is NOW

9th December 2021

Special Reports

View all

Omdia’s Smart Home Market Dynamics Report

7th January 2022

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

IoT Security Best Practices for Industry and Enterprise

20th October 2020

Twitter

IoTWorldToday, IoTWorldSeries

This white paper by @braincubeEn explores how the changes of 2020 and 2021 are shaping the future of #IIoT. Learn w… twitter.com/i/web/status/1…

27th May 2022
IoTWorldToday, IoTWorldSeries

UK Investing $50M for Self-Driving Buses, Vans dlvr.it/SR9QlJ https://t.co/sQdX2tJY4d

27th May 2022
IoTWorldToday, IoTWorldSeries

Dubai to Use Satellite IoT Terminals for Utilities Industry dlvr.it/SR9NQB https://t.co/GXf9Gx5RCw

27th May 2022
IoTWorldToday, IoTWorldSeries

@BerkshireGrey’s AI-powered next-gen warehouse robot is helping retailers by cutting times for order fulfillment, u… twitter.com/i/web/status/1…

27th May 2022
IoTWorldToday, IoTWorldSeries

Access the insights on IoT deployments, emerging tech and new applications now. Sign up to our dedicated… twitter.com/i/web/status/1…

27th May 2022
IoTWorldToday, IoTWorldSeries

Survey finds there's a lot of on-campus affinity for @StarshipRobots delivery #robots. dlvr.it/SR79YR https://t.co/73EaFPR6ft

26th May 2022
IoTWorldToday, IoTWorldSeries

That latest #IoT deals and partnerships news from @Google, @RedHat, @Arm, @SierraWireless, @ItronInc and more!… twitter.com/i/web/status/1…

26th May 2022
IoTWorldToday, IoTWorldSeries

@Ford is testing #geofencing tech that automatically cuts vehicle speeds. iotworldtoday.com/2022/05/26/for…

26th May 2022

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2022 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X