Mitsubishi Outlander PHEV Gets Hacked without Mercy or Any Real Difficulty

Twenty years ago or so, hacking a car involved a wrench, a crowbar, and a lot of muscle. Nowadays, all you need is a decent computer and an Internet connection, while the only muscle that needs some flexing is your brain.
Mitsubishi Outlander PHEV crack 1 photo
Photo: Screenshot from YouTube
With our cars becoming more and more dependent on technology comes a great risk. If the greatest threat of having your personal computer hacked was losing your porn collection, with the car the consequences can be a lot more severe. For now, hackers are limiting themselves to making a point, they're just exercising, but it's not too hard to imagine all this skill being used for doing something evil.

An old saying tells us that the best way to fight against an enemy is to know it inside out. Putting this into practice, the people at Pen Test Partners (a company specializing in security services and penetration testing - yes, I know how that sounds) attempted to hack a Mitsubishi Outlander PHEV using its mobile app as a way in. And since they didn't find a volunteer, they went out and bought themselves one of those hybrid SUVs. In red. And with a license plate that read "H4CK M3." Those Brits, they're so silly.

They wrote a lengthy blog post about the whole procedure that we're not going to go into here - but not because it exceeds our knowledge on the subject, not at all. The bottom line, though, is that the team was able to gain access over some of the vehicle's basic functions - turn on the lights, change its charging schedule, turn on the air conditioning - but also more vital ones, such as switching off its alarm.

What makes hacking the Outlander PHEV easier than other vehicles that use similar apps is that the Mitsubishi relies on a Wi-Fi connection to communicate between the device and the car, while others have GSM modules that are a lot more secure, plus they can be accessed from anywhere in the world. The Pen Test Team first took its findings to Mitsubishi, who was quick to dismiss them, which forced our good hackers to go public. They also provide list of solutions for those who might be interested to not have their car stolen:

"Short term fix: Unpair all mobile devices that have been connected to the car access point. First, go to the car and connect your mobile phone to the access point on the car. Then, using the app, go to ‘Settings’ and select ‘Cancel VIN Registration.’ Once all paired devices are unpaired, the Wi-Fi module will effectively go to sleep. It cannot be powered up again until the car key remote is pressed ten times. A nice security feature. This has the side effect of rendering the mobile app useless, but at least it fixes the security problem."

"Medium term fix: The app has the ability to push new firmware to the Wi-Fi module. New firmware should be deployed urgently to fix this problem properly, so the mobile app can still be used."

"Long term fix: Mitsubishi need to re-engineer the rather odd Wi-Fi AP – client connection method completely. A GSM module/web service method rather more like BMW Connected Drive would be much better long term. Words like ‘recall’ spring to mind."

If you liked the article, please follow us:  Google News icon Google News Youtube Instagram Twitter
About the author: Vlad Mitrache
Vlad Mitrache profile photo

"Boy meets car, boy loves car, boy gets journalism degree and starts job writing and editing at a car magazine" - 5/5. (Vlad Mitrache if he was a movie)
Full profile


Would you like AUTOEVOLUTION to send you notifications?

You will only receive our top stories