Pen Test Partners, a computer security company in the United Kingdom, has discovered a way to hack the Mitsubishi Outlander PHEV, giving attackers the ability to shut off the security system. As proof, the firm released a video showing the attack in action.
The most disturbing thing about this hack is that an attacker doesn't need physical access to the vehicle to make it work. The Outlander PHEV uses an on-board Wi-Fi access point to connect with Mitsubishi's smartphone app. The problem, according to Pen Test, is that the automaker's 10-character passwords are too weak. A dedicated machine to crack the code would need four days to find the solution. However, the researchers claim that if someone paid about 1,000 pounds ($1,450) to rent some extra computing power, the code could be decrypted "almost instantaneously."
Once in control, the hackers can manage the vehicle's charging, turn the headlights on or off, activate the HVAC system, and disable the security system. Pen Test also believes further experimentation could lead to ways to take over the infotainment system and possibly dig even deeper into the crossover's systems. At this time, the attack only affects the Outlander PHEV, and Mitsubishi confirms to Motor1 that it is the only vehicle in the company's lineup with a wireless access point to interface with the smartphone app.
In a statement to Motor1, Mitsubishi said in part: "The subject hacking has no effect on the ability of the consumer to safely start and drive the vehicle. Further, the vehicle's immobilizer is unaffected. Accordingly, while the vehicle alarm could be turned off, the vehicle would remain locked and the car could not be started without the smart key remote control device." You can read the full text in the press releases section below.
Pen Test claims Mitsubishi U.K. initially resisted doing anything about the problem. After some prodding by the BBC, the automaker has started working on a firmware update to mitigate the hacking attack. Until the new software is ready, Outlander PHEV owners can use a feature in the smartphone app called "Cancel VIN Registration," which shuts off the wireless access point. Pressing the key fob 10 times turns it back on. Pen Test has a deeper explanation about the hack in the video above.
Car hacking has become a bigger security concern in the past couple of years as cars become increasingly connected. In 2015, Fiat Chrysler Automobiles had to recall 1.4 million vehicles after security experts remotely took over a Jeep Cherokee.
Source: Pen Test Partners
Mitsubishi Motors is focused on the safety and security of its vehicles. This is the first reported incident of hacking involving any Mitsubishi vehicle to date. While Mitsubishi Motors is working diligently to investigate the issue, it is important to clarify that this hack only pertains to the smartphone app and has limited actual impact on the vehicle itself. This app can only control the vehicle alarm, the HVAC system, the lights, and the battery charging schedule. While this app also monitors the status of the vehicle's doors and hood (open/closed), it cannot lock or unlock them.
To be clear, the subject hacking has no effect on the ability of the consumer to safely start and drive the vehicle. Further, the vehicle's immobilizer is unaffected. Accordingly, while the vehicle alarm could be turned off, the vehicle would remain locked and the car could not be started without the smart key remote control device.
While Mitsubishi Motors investigates this issue, it is recommending that any customer who is concerned about this issue should deactivate the vehicle’s WiFi using the ‘Cancel VIN Registration’ option found in the app, or by using the remote app cancellation procedure found in the vehicle’s Multi Communication System.