Mitsubishi Outlander PHEV at risk of hacking

Security experts showed how hackers and thieves can exploit a weakness in the Mitsubishi Outlander PHEV's Wi-Fi system to disarm the alarm

Mitsubishi Outlander PHEV - front

The Mitsubishi Outlander PHEV - UK's best selling plug-in electric car - has become the latest car susceptible to hacking, after weaknesses in the car's on-board Wi-Fi security allowed researchers to turn off security alarms.

Security expert Ken Munro and his colleagues at Pent Test Partners security firm began investigating the Outlander PHEV after Munro noticed the mobile app used to communicate with the car had an unusual characteristic.

Most mobile apps use a GSN module to communicate between the car and the mobile phone, but the Outlander PHEV does without one. Instead, the Mitsubishi has a wireless access point on-board the car, which means it can be talked to directly.

Munro then realised the password to the Wi-Fi key can be easily cracked. He said: “The password is not long enough. The format is four lower cases, plus six numeric digits. That just isn’t enough.” On a relatively slow cracking rig, it took Munro and his team just four days to crack the password key. With top notch software the key can be accessed within a day. 

Munro then looked if there was any more security between phone and the Wi-Fi access point other than the key. He said: “ We listened to look at the traffic going between the car and the device, and discovered a relatively simple binary protocol that was incredibly straightforward to understand and reverse engineer.”

This allowed Munro to communicate with the car directly, and gave him control of functions like lights and air-conditioning, and more worryingly, access to the charging and security status. Munro was able to turn off the car’s alarm and disconnect it from charging, showing how potential perps could break into the car and drive away with it. 

A short-term fix exists, according to Munro. He advises to first unpair all mobile devices that have been connected with the car's access point. Then, using the app, he advises users to go to 'Settings' and select 'Cancel VIN registration', to effectively put the device to sleep. A long-term fix would require intervention from Mitsubishi. 

Mitsubishi has since said it has taken the “matter seriously". It also pointed out that the hack affects the car's app and gives hackers limited access: “It should be noted that without the remote control device, the car cannot be started and driven away." 

Are you worried about car hackers? Tell us in the comments below...

Recommended

Plenty of UK car buyers still love a new car number plate
Volkswagen ID.7 - tailgate
News

Plenty of UK car buyers still love a new car number plate

Is a new number plate still the status symbol it once was? Our exclusive poll suggests that car buyers do care
24 Feb 2024
UK road maintenance work slashed by almost half in five years
Road resurfacing
News

UK road maintenance work slashed by almost half in five years

Council road repairs are down by 45 per cent compared to 2017/18, the latest data shows
24 Feb 2024
6,600 arrested in police annual drug and drink driving purge
Drink driving
News

6,600 arrested in police annual drug and drink driving purge

The Police ‘Op Limit’ campaign over xmas 2023 resulted in 6,616 arrests, with 14 per cent of over 50,000 tests showing positive results
22 Feb 2024
Banned car number plates: the 24-reg numbers too rude for the roads
Number plates
News

Banned car number plates: the 24-reg numbers too rude for the roads

The DVLA has revealed its list of new-for-2024 number plates judged too saucy for the streets, and there are plenty of potential shockers on the banne…
21 Feb 2024

Most Popular

New MG3 hopes to disrupt the Renault Clio and Vauxhall Corsa’s supermini dominance
MG3 on Geneva Motor Show stand - front
News

New MG3 hopes to disrupt the Renault Clio and Vauxhall Corsa’s supermini dominance

New MG3 features the company’s first full-hybrid powertrain; pricing to be announced in March
26 Feb 2024
New Renault 4 will go 4x4 to get ahead in the baby EV SUV class
Renault 4EVER concept car in 1962 4L paint - front 3/4 static
News

New Renault 4 will go 4x4 to get ahead in the baby EV SUV class

The forthcoming Renault 4 is likely to offer a four-wheel-drive option, helping it to stand out in the market for baby all-electric SUVs
27 Feb 2024
Dacia heads for VW Golf and Ford Focus territory with new C-Neo that’s definitely ‘not an SUV’
Dacia badge
News

Dacia heads for VW Golf and Ford Focus territory with new C-Neo that’s definitely ‘not an SUV’

As big names vacate the traditional C-segment, Dacia sees an opportunity for its new petrol family car
27 Feb 2024