Mitsubishi Outlander PHEV at risk of hacking

Security experts showed how hackers and thieves can exploit a weakness in the Mitsubishi Outlander PHEV's Wi-Fi system to disarm the alarm

Mitsubishi Outlander PHEV - front

The Mitsubishi Outlander PHEV - UK's best selling plug-in electric car - has become the latest car susceptible to hacking, after weaknesses in the car's on-board Wi-Fi security allowed researchers to turn off security alarms.

Security expert Ken Munro and his colleagues at Pent Test Partners security firm began investigating the Outlander PHEV after Munro noticed the mobile app used to communicate with the car had an unusual characteristic.

Most mobile apps use a GSN module to communicate between the car and the mobile phone, but the Outlander PHEV does without one. Instead, the Mitsubishi has a wireless access point on-board the car, which means it can be talked to directly.

Munro then realised the password to the Wi-Fi key can be easily cracked. He said: “The password is not long enough. The format is four lower cases, plus six numeric digits. That just isn’t enough.” On a relatively slow cracking rig, it took Munro and his team just four days to crack the password key. With top notch software the key can be accessed within a day. 

Munro then looked if there was any more security between phone and the Wi-Fi access point other than the key. He said: “ We listened to look at the traffic going between the car and the device, and discovered a relatively simple binary protocol that was incredibly straightforward to understand and reverse engineer.”

This allowed Munro to communicate with the car directly, and gave him control of functions like lights and air-conditioning, and more worryingly, access to the charging and security status. Munro was able to turn off the car’s alarm and disconnect it from charging, showing how potential perps could break into the car and drive away with it. 

A short-term fix exists, according to Munro. He advises to first unpair all mobile devices that have been connected with the car's access point. Then, using the app, he advises users to go to 'Settings' and select 'Cancel VIN registration', to effectively put the device to sleep. A long-term fix would require intervention from Mitsubishi. 

Mitsubishi has since said it has taken the “matter seriously". It also pointed out that the hack affects the car's app and gives hackers limited access: “It should be noted that without the remote control device, the car cannot be started and driven away." 

Are you worried about car hackers? Tell us in the comments below...

Recommended

Killer drivers will face life sentences from 2021
Speed camera accident
Consumer news

Killer drivers will face life sentences from 2021

Government promises to introduce legislation to reform sentencing for drivers who cause death or serious injury next year
14 Sep 2020
Over half of drivers break 30mph limits
Increased speed limits helps to cut accidents
Consumer news

Over half of drivers break 30mph limits

Official figures show drivers are most likely to break 30mph limits, closely followed by 70mph motorway limits
9 Sep 2020
Driving licence validity extended for 11 months
News

Driving licence validity extended for 11 months

Move follows seven-month extension announced in June; photocard licences expiring between 1 February and 31 December 2020 get automatic 11-month exten…
1 Sep 2020
Private parking firms face Government crackdown
UK’s parking ticket lottery
Consumer news

Private parking firms face Government crackdown

New proposals will introduce a cap on fines, a 10-minute grace period, major and minor offences, plus increased maximum fines
1 Sep 2020

Most Popular

Energy firms want the right to switch off electric cars charging at home
Electric cars

Energy firms want the right to switch off electric cars charging at home

New powers being sought to allow energy providers to turn off high-drain devices to manage electricity network
18 Sep 2020
How green are electric cars? Polestar data shows ICE trailing EV
News

How green are electric cars? Polestar data shows ICE trailing EV

Electric car maker reveals whole-life CO2 emissions of the Polestar 2 are better than a petrol XC40 - but EV is only 14% cleaner with global energy mi…
17 Sep 2020
New Rolls-Royce Ghost 2020 review
Rolls-Royce Ghost

New Rolls-Royce Ghost 2020 review

The all-new luxury Rolls-Royce Ghost saloon brings new levels of refinement
18 Sep 2020