Mitsubishi Outlander PHEV at risk of hacking

Security experts showed how hackers and thieves can exploit a weakness in the Mitsubishi Outlander PHEV's Wi-Fi system to disarm the alarm

Mitsubishi Outlander PHEV - front

The Mitsubishi Outlander PHEV - UK's best selling plug-in electric car - has become the latest car susceptible to hacking, after weaknesses in the car's on-board Wi-Fi security allowed researchers to turn off security alarms.

Security expert Ken Munro and his colleagues at Pent Test Partners security firm began investigating the Outlander PHEV after Munro noticed the mobile app used to communicate with the car had an unusual characteristic.

Most mobile apps use a GSN module to communicate between the car and the mobile phone, but the Outlander PHEV does without one. Instead, the Mitsubishi has a wireless access point on-board the car, which means it can be talked to directly.

Munro then realised the password to the Wi-Fi key can be easily cracked. He said: “The password is not long enough. The format is four lower cases, plus six numeric digits. That just isn’t enough.” On a relatively slow cracking rig, it took Munro and his team just four days to crack the password key. With top notch software the key can be accessed within a day. 

Munro then looked if there was any more security between phone and the Wi-Fi access point other than the key. He said: “ We listened to look at the traffic going between the car and the device, and discovered a relatively simple binary protocol that was incredibly straightforward to understand and reverse engineer.”

This allowed Munro to communicate with the car directly, and gave him control of functions like lights and air-conditioning, and more worryingly, access to the charging and security status. Munro was able to turn off the car’s alarm and disconnect it from charging, showing how potential perps could break into the car and drive away with it. 

A short-term fix exists, according to Munro. He advises to first unpair all mobile devices that have been connected with the car's access point. Then, using the app, he advises users to go to 'Settings' and select 'Cancel VIN registration', to effectively put the device to sleep. A long-term fix would require intervention from Mitsubishi. 

Mitsubishi has since said it has taken the “matter seriously". It also pointed out that the hack affects the car's app and gives hackers limited access: “It should be noted that without the remote control device, the car cannot be started and driven away." 

Are you worried about car hackers? Tell us in the comments below...

Recommended

Treasury eyes up road pricing to plug £30bn fuel-duty gap
News

Treasury eyes up road pricing to plug £30bn fuel-duty gap

The UK’s Petrol and diesel car ban will bring with it huge losses for the Treasury as fuel-duty revenue dries up; road pricing looks set to be the sol…
17 Nov 2020
Road bosses approve 138 miles of new smart motorway with no hard shoulder
smart motorway
News

Road bosses approve 138 miles of new smart motorway with no hard shoulder

Nine new sections of all-lane running smart motorway are set to open despite concerns over the lack of a hard shoulder
9 Nov 2020
Fiat-Chrysler faces £5bn UK lawsuit over defeat devices
Fiat Doblo 2015 - steering wheel
Fiat

Fiat-Chrysler faces £5bn UK lawsuit over defeat devices

Around half a million FCA-engined vehicles in England and Wales could be affected by diesel emissions scandal, says law firm
27 Oct 2020
Dash cam portal saves 170,000 hours of police time in two years
News

Dash cam portal saves 170,000 hours of police time in two years

Nextbase's National Dash Cam Safety Portal is used by 33 police forces and has recorded more than 20,000 uploads
21 Oct 2020

Most Popular

New Suzuki Swace estate launched on UK market
News

New Suzuki Swace estate launched on UK market

Based on the Toyota Corolla Touring Sports, the Suzuki Swace estate comes to the UK
11 Nov 2020
All-new Renault Kangoo van unveiled ahead of 2021 launch
Renault Kangoo ZE Concept - show pic
Renault Kangoo

All-new Renault Kangoo van unveiled ahead of 2021 launch

First images of the third-generation Renault Kangoo panel van - which will soon square-up to the new Volkswagen Caddy
12 Nov 2020
How to transfer a number plate from one car to another
MINI number plate change
Tips & advice

How to transfer a number plate from one car to another

Need to know how to transfer a number plate between vehicles? Our step-by-step guide breaks it down
22 Nov 2020