Mitsubishi Outlander PHEV wi-fi security weakness

Electronic security experts have found a weakness in the wi-fi-linked alarm system of the Mitsubishi Outlander PHEV, which could be exploited by determined thieves.

Security expert Ken Monroe chanced upon a wi-fi access point on his mobile phone, which was found to belong to a Mitsubishi Outlander parked nearby. The owner of the car, a friend of Monroe, demonstrated the car’s remote access app on his mobile phone, which is listed on the Mitsubishi website and available for Mitsubishi owners to download from mobile application websites.

Worried about a potential vulnerability, Mr Munroe, who works for electronic security consultants Pen Test Partners, bought an Outlander PHEV for further examination and soon found that the way the car’s systems communicate with the owner’s smartphone is different to many other cars.

Similar systems from other manufacturers use an online service that passes data from a mobile phone through a secure server before it’s received by the car. The Mitsubishi Outlander PHEV is different, communicating directly with the mobile phone via its on-board wi-fi system.

Mr Munro was initially concerned that the name of the access point for each of these vehicles was very distinctive and would be easily identified on a website that gathers the identities of wi-fi hotspots. This could mean cars of interest being easily located by thieves.

[[{"type":"media","view_mode":"content_full_width","fid":"71751","attributes":{"alt":"","class":"media-image","height":"414","typeof":"foaf:Image","width":"620"}}]]

Writing on the Pen Test Partners website, David Lodge said: “The wi-fi pre-shared key is written on a piece of paper included in the owner’s manual. The format is too simple and too short”. Within four days, the key was hacked using technology available to hackers.

By analysing the way the car communicated with the smartphone, it was possible to replicate the commands that operate various functions on the car, including the lights and air-conditioning.

Mr Munro and his team were then shocked to find that they could also deactivate the alarm. On their website, Mr Lodge wrote: “This is shocking and should not be possible.”

A determined thief or organisation with access to the right equipment would find it much easier to get into the car if they knew that the alarm was deactivated. Mr Lodge continued: “We involved the BBC, who helped us get their attention. Mitsubishi have since been very responsive to us. They’re taking the issue very seriously at the highest levels. A medium-term fix is being worked on now.”

In a statement reported by the BBC, Mitsubishi said: "This hacking is a first for us, as no other has been reported anywhere else in the world. It should be noted that without the remote-control device, the car cannot be started and driven away."

Until these issues have been investigated, Mitsubishi and Pen Test Partnership recommend that owners of Mitsubishi Outlander PHEVs disconnect their car from their smartphone using the "cancel VIN Registration" option within the app.