Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researchers Hack Mitsubishi Outlander PHEV

Hackers Can Disable Alarm on Mitsubishi Outlander PHEV Cars

Hackers Can Disable Alarm on Mitsubishi Outlander PHEV Cars

Researchers from UK-based penetration testing and security services firm Pen Test Partners discovered that the mobile applications for the Mitsubishi Outlander plug-in hybrid electric vehicle (PHEV) are plagued by vulnerabilities that can be exploited by hackers to remotely control some of the car’s features.

Mitsubishi Outlander PHEV is a popular SUV whose owners can control various functions remotely using an iOS or Android application. Unlike other vehicles, which can be controlled over long distances via GSM networks, the Outlander PHEV apps use Wi-Fi to connect the phone directly to the car when the device is in range of the vehicle’s Wi-Fi access point.

Researchers have analyzed this connectivity method and discovered that the Wi-Fi Protected Access Pre-Shared Key (WPA-PSK), which is used to authenticate and validate the connection, is included in the owner’s manual and it can be easily cracked. It took experts less than four days to crack it, but they believe it could be done almost instantly using £1,000 ($1,400) worth of cloud computing resources.

Pen Test Partners discovered that each Outlander PHEV access point has a unique SSID. Since the SSIDs have the same format, it’s easy for someone to find the geographical location of these vehicles using wireless network mapping services such as WiGLE.

A man-in-the-middle (MitM) attack launched against the connection between the mobile app and the vehicle revealed that it uses a relatively simple binary protocol that is easy to understand and reverse engineer.

Researchers demonstrated that an attacker who is in range of the car’s Wi-Fi access point can control various functions, such as turning the lights or the air conditioning on and off, or playing around with battery charging features — all of which could be used to drain the battery. The most concerning issue, however, is that a hacker could disable the car’s alarm.

“Once unlocked, there is potential for many more attacks. The on board diagnostics port is accessible once the door is unlocked. Whilst we haven’t looked in detail at this, you may recall from a hack of some BMW vehicles which suggested that the OBD port could be used to code new keys for the car,” researchers explained. “We also haven’t looked at connections between the Wi-Fi module and the Wi-Fi module and the Controller Area Network (CAN). There is certainly access to the infotainment system from the Wi-Fi module.”


While initially it did not take their findings seriously, researchers say Mitsubishi is now working on addressing the issues they discovered. SecurityWeek has reached out to the company for comment.

In the meantime, users can protect their cars against potential attacks by unpairing their mobile devices from the vehicle’s access point (Settings->Cancel VIN Registration). If all mobile devices are unpaired, the Wi-Fi module goes to sleep and will only be re-enabled if the key remote is pressed ten times.

The vulnerabilities found by Pen Test Partners are similar to the ones identified by researchers earlier this year in the Nissan LEAF. However, in the LEAF’s case, experts showed that attacks could be conducted from halfway around the world.

Related Reading: Karamba Security Emerges From Stealth to Protect Cars From Hackers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...