British security firm hacks Mitsubishi Outlander via mobile app, Wi-Fi

Using the car's built-in access point, Pen Test Partners took control of various Outlander Plug-In Hybrid systems.

Andrew Krok Reviews Editor / Cars
Cars are Andrew's jam, as is strawberry. After spending years as a regular ol' car fanatic, he started working his way through the echelons of the automotive industry, starting out as social-media director of a small European-focused garage outside of Chicago. From there, he moved to the editorial side, penning several written features in Total 911 Magazine before becoming a full-time auto writer, first for a local Chicago outlet and then for CNET Cars.
Andrew Krok
2 min read

Hacking a car might sound like a silly term that some fearmonger would use to get you all worked up about nothing, but it's actually a bit scary. Considering that more and more cars are connected in various ways, the number of ways to sneak into a car is higher than ever. One British security firm thinks it's found a pretty serious vulnerability in a Mitsubishi Outlander Plug-In Hybrid.

Pen Test Partners LLP found that the Outlander PHEV used an interesting method of connecting the car to an owner's mobile phone. Whereas many mobile apps use the internet as an intermediary between phone and car, Mitsubishi offers a direct connection via Wi-Fi. Add in a weak factory password, and unscrupulous nerds can access the vehicle's settings.

Once access was granted, the firm was able to change battery charge settings, fiddle with the HVAC controls and turn on the headlights. Perhaps most worrying, they disabled the alarm system. If a criminal outside the car made that happen, a quick lock-jimmying and boom -- they're in the car.

Pen Test Partners said they brought the issue to Mitsubishi. After an initial blow-off, the group made this video, and now Mitsubishi's UK office claims to be working on a solution.

Thankfully, making off with the car is a much harder thing to do, but knowing that disabling the car's alarm is as easy as sniffing out a network and brute-forcing a relatively simple password is a bit troublesome. Until a fix is found, Pen Test Partners suggest turning the car's Wi-Fi system into sleep mode. You'll lose mobile car access, but so will everyone else.

Update, June 7: Mitsubishi's comment has been attached below.

Mitsubishi Motors is focused on the safety and security of its vehicles. This is the first reported incident of hacking involving any Mitsubishi vehicle to date. While Mitsubishi Motors is working diligently to investigate the issue, it is important to clarify that this hack only pertains to the smartphone app and has limited actual impact on the vehicle itself. This app can only control the vehicle alarm, the HVAC system, the lights, and the battery charging schedule. While this app also monitors the status of the vehicle's doors and hood (open/closed), it cannot lock or unlock them.

To be clear, the subject hacking has no effect on the ability of the consumer to safely start and drive the vehicle. Further, the vehicle's immobilizer is unaffected. Accordingly, while the vehicle alarm could be turned off, the vehicle would remain locked and the car could not be started without the smart key remote control device.

While Mitsubishi Motors investigates this issue, it is recommending that any customer who is concerned about this issue should deactivate the vehicle's WiFi using the 'Cancel VIN Registration' option found in the app, or by using the remote app cancellation procedure found in the vehicle's Multi Communication System.