Advertisement

Mitsubishi Outlander PHEV at risk of hacking

Security experts showed how hackers and thieves can exploit a weakness in the Mitsubishi Outlander PHEV's Wi-Fi system to disarm the alarm

Mitsubishi Outlander PHEV - front

The Mitsubishi Outlander PHEV - UK's best selling plug-in electric car - has become the latest car susceptible to hacking, after weaknesses in the car's on-board Wi-Fi security allowed researchers to turn off security alarms.

Security expert Ken Munro and his colleagues at Pent Test Partners security firm began investigating the Outlander PHEV after Munro noticed the mobile app used to communicate with the car had an unusual characteristic.

Advertisement - Article continues below

Most mobile apps use a GSN module to communicate between the car and the mobile phone, but the Outlander PHEV does without one. Instead, the Mitsubishi has a wireless access point on-board the car, which means it can be talked to directly.

Munro then realised the password to the Wi-Fi key can be easily cracked. He said: “The password is not long enough. The format is four lower cases, plus six numeric digits. That just isn’t enough.” On a relatively slow cracking rig, it took Munro and his team just four days to crack the password key. With top notch software the key can be accessed within a day. 

Munro then looked if there was any more security between phone and the Wi-Fi access point other than the key. He said: “ We listened to look at the traffic going between the car and the device, and discovered a relatively simple binary protocol that was incredibly straightforward to understand and reverse engineer.”

Advertisement - Article continues below

This allowed Munro to communicate with the car directly, and gave him control of functions like lights and air-conditioning, and more worryingly, access to the charging and security status. Munro was able to turn off the car’s alarm and disconnect it from charging, showing how potential perps could break into the car and drive away with it. 

A short-term fix exists, according to Munro. He advises to first unpair all mobile devices that have been connected with the car's access point. Then, using the app, he advises users to go to 'Settings' and select 'Cancel VIN registration', to effectively put the device to sleep. A long-term fix would require intervention from Mitsubishi. 

Mitsubishi has since said it has taken the “matter seriously". It also pointed out that the hack affects the car's app and gives hackers limited access: “It should be noted that without the remote control device, the car cannot be started and driven away." 

Are you worried about car hackers? Tell us in the comments below...

Advertisement
Advertisement

Recommended

Deaths on UK’s major road network reach eight-year high
Car crash, insurance, write-off, accident
Consumer news

Deaths on UK’s major road network reach eight-year high

Official figures reveal an increase in fatalities on Strategic Road Network, with collisions costing over £1 billion in a year
7 Jul 2020
VED road tax: how much does it cost?
car tax calculator
Consumer news

VED road tax: how much does it cost?

Confused by VED road tax? Our comprehensive guide explains how much you'll pay on your next car
3 Jul 2020
Six-month MoT extension ends on 1 August
Consumer news

Six-month MoT extension ends on 1 August

Department for Transport ends MoT extension on 1 August; cars due an MoT before that date still get extra six months
29 Jun 2020
BMW and Mercedes pause autonomous car partnership
BMW and Mercedes
BMW

BMW and Mercedes pause autonomous car partnership

German firms had previously agreed to work together on Level 4 self-driving systems, plans that have been paused following a "mutual and amicable agre…
19 Jun 2020

Most Popular

Skoda Octavia Estate vs Toyota Corolla Touring Sports
Estates

Skoda Octavia Estate vs Toyota Corolla Touring Sports

Skoda’s new Octavia Estate has moved upmarket. We find out if it’s a better wagon than the Toyota Corolla Touring Sports
4 Jul 2020
New Skoda Octavia vRS line-up completed as petrol and diesel models arrive
Skoda Octavia vRS Hatchback

New Skoda Octavia vRS line-up completed as petrol and diesel models arrive

Skoda has unwrapped the complete Octavia line-up, which now offers a choice of petrol, diesel or plug-in hybrid powertrains
3 Jul 2020
New Ineos Grenadier 4x4: prices, specs and video of the Land Rover Defender rival
Ineos Grenadier

New Ineos Grenadier 4x4: prices, specs and video of the Land Rover Defender rival

The Ineos Grenadier will be built in Wales and will use BMW engines, but fuel-cell electrification is also likely in the future
7 Jul 2020