Mitsubishi Outlander PHEV’s alarm can be hacked via Wi-Fi

Security researchers have hacked a Mitsubishi Outlander, one of the best-selling hybrid SUVs in the UK. Worryingly the hack enabled the researchers to disable the Outlander’s car alarm, and even do things like drain the battery and turn the car’s lights off and on.

Pen Test Partners, the security researchers that carried out the hacking, have explained exactly how the hack was performed on the company website, and it makes for a worrying read. Like many of the best hybrid cars around, the Mitsubishi Outlander has a counterpart app that allows you to check the status of the car and control certain functions. However, rather than GSM, this system uses Wi-Fi, and that connection wasn’t particularly secure.

Cracking the Outlander

The website goes on to say that the key to get into this Wi-Fi can be cracked “o

After getting the SSID and the PSK of the cars, the researchers were able to imitate an owner’s phone, and control several different functions. First, they were able to turn the lights on and off and use the air conditioning to drain the car’s battery – just like the Nissan Leaf hack, but they were also able to disable the car’s theft alarm.

The website reads: “So, we sat inside the car whilst being very still and locked it. Then, waving my arms around, it was clear that the alarm was off. I could then unlock the car using the handle on the inside of the door, without the alarm sounding”

What has Mitsubishi said?

The website says, “Initial attempts by us to disclose privately to Mitsubishi were greeted with disinterest… So, we involved the BBC who helped us get their attention.”

“Mitsubishi have since been very responsive to us! They are taking the issue very seriously at the highest levels.”

How to fix it

The researchers at Pen Test Partners have offered a short-term fix for the vulnerability, but it does mean the app will be useless for the time being.

1. First, go to the car and connect your mobile phone to the access point on the car.
2. Using the app, go to ‘Settings’ and select ‘Cancel VIN Registration’:
3. Once all paired devices are unpaired, the Wi-Fi module will effectively go to sleep. It cannot be powered up again until the car key remote is pressed ten times. A nice security feature.

The researchers go on to say as a medium term solution, “new firmware should be deployed urgently to fix this problem properly, so the mobile app can still be used.” After that, the researchers say engineers will need to re-engineer the whole app completely.

A growing problem

First, we had the Jeep Cherokee, then the Nissan Leaf – and now the Mitsubishi. As much as car makers try and escape the issue, vehicles are getting more advanced, and that’s making them easier to hack. If auotomotive companies want us to embrace – admittedly useful – features like apps, they’ll need to make them as secure as the apps on our phones and computers. 

Related Posts

How To Set the Amazon Echo Alarm to Wake You with Music How To Set a Music Alarm on a Google Home Device How to Set a Song as an Alarm on the iPhone How To Set An Alarm On A Macbook How To Change the Volume for Your Android Alarm How To Change the iPhone Alarm Volume Discord Got Hacked? Here’s What To Do MetaMask Got Hacked? Here’s What To Do How to Find Out Who Hacked Your Gmail Account