r00t advisory [ Mitsubishi Eclipse ] [ Dec 10 1997 ]

-- Platform:    Mitsubishi Vehicles
                  This exploit has been confirmed on '97 Spyder GS-T.
                  It is likely to exist on all Mitsubishi Eclipse vehicles
                  with the system installed.  
                  Other platforms have not been tested for this vulnerability.

-- Program:     Remote keyless entry system

-- Info:        Mitsubishi has been notified of the problem.  
                A car sales representative noted in response to this
                security hole "ok, don't do that then". 
                We have been unable to contact the vehicle security 
                representative for Mitsubishi.

-- Synopsis:    A race condition exists in the remote keyless entry system
                that can result in a denial of service attack being performed
                against the vehicle.  This vulnerability allows any user
                of the vehicle (ie passenger) to prevent remote access to
                the machine by the admin (ie driver).
   
-- Exploit:     The problem that is being exploited here is that the door
                locking mechanism prevents the door from being opened at
                an earlier point in the process of a door being closed
                than the point that the keyless entry mechanism is
                enabled.

                When logging out of the vehicle, lock the doors on inside
                using the traditional door locking mechanism.  Proceed to
                slowly close one of the doors until the locking mechanism
                triggers, but stop immediately at that point.  You will
                note that the door is now successfully locked and can not
                be opened or closed further.  

                The keyless entry system will not function, and a remote
                administrator with only keyless entry capabilities will
                be unable to access the vehicle.              
 
-- Fixes:       There are no known fixes to this problem at the moment. 
                Once exploited, the admin must reset the entry system
                manually using their private key.


r00t -- owning the world, one person at a time.
http://www.r00t.org