Software Integrity Blog


Researcher finds Mitsubishi Outlander can be remotely hacked

In response to new research, Mitsubishi is recommending that owners of its European Outlander model turn off the Wi-Fi system while it investigates potential vulnerabilities.

On Monday, the BBC reported that security researcher Ken Munro who found the Mitsubishi Outlander plug in hybrid electric vehicle (PHEV) vehicle supported its own web server. He noticed one day an unusual Wi-Fi access point on his smartphone and traced it to a friend’s Mitsubishi Outlander. The friend further showed him the app used to control.

“I got playing with it and soon realized it was vulnerable so I stopped,” he told the BBC.

While it’s not unusual for apps to connect to cars these days, most use 3G cellular networks. Instead Mitsubishi uses Wi-Fi. For one thing the pre-shared key (PSK) consists of four lowercase alphas and six numeric digits. Munro said he was able to crack it on a slow test bed in about four days.

The web server also broadcasts a distinct name as an access point. As such Munro was able to identify many Mitsubishi hybrids in the nearby area. He also noted that these are also being logged on websites that gather the names of access points.

“Some were spotted while driving and others when parked at their owner’s house,” wrote Mr Munro in a blog outlining his findings. “A thief or hacker can therefore easily locate a car that is of interest to them.”

Monro said his team could also replay commands sent to an Outlander allowing them to flash the lights, tweak its charging settings and drain the battery.

While controlling a car remotely is not new, it’s surprising that cars produced today would still exhibit these same symptoms.


More by this author