See How a Mitsubishi Outlander Can be Hacked Through the In-Car Wi-Fi
Automaker suggests a fix
Tesla, Fiat Chrysler, and Nissan have all fallen victim to security vulnerabilities. Now, at perhaps the most unfortunate time, it's Mitsubishi's turn. A British security company managed to hack into an Outlander PHEV through its Wi-Fi system. On top of that, USA Today reports that the company was "greeted with disinterest" when it initially approached Mitsubishi about the problem.
The experiment began when Pen Test Partners noticed the Mitsubishi Outlander PHEV has a mobile app that works differently than other vehicles. It's not unusual for automakers to offer apps that allow drivers to heat up a car's cabin, lock the doors, or turn on the engine remotely with the touch of a button. But while most apps communicate with the cloud before relaying the information to the vehicle, providing a layer of security, Mitsubishi's app communicates directly with a Wi-Fi access point on the car. As a result, drivers have to be within Wi-Fi range to use the feature. Along with being inconvenient, the system was not implemented securely, the hackers say.
After cracking the Wi-Fi key, it didn't take long for the hackers to access the car and work their black magic. They turned on the lights, fiddled with the climate control system, and even disabled the car's theft alarm. But the possibilities for attacks go further, the hackers explain. Watch the video at the end of this post to see exactly how it works.
After involving the media, the group says it was finally able to get Mitsubishi's attention. "Mitsubishi have since been very responsive to us! They are taking the issue very seriously at the highest levels," it said.
Mitsubishi has since provided a remedy for the problem (scroll way down to Delete Registration-Initialization Process). It suggests drivers temporarily deactivate Wi-Fi.
Mitsubishi has issued the following statement to AUTOMOBILE:
"Mitsubishi Motors is focused on the safety and security of its vehicles. This is the first reported incident of hacking involving any Mitsubishi vehicle to date. While Mitsubishi Motors is working diligently to investigate the issue, it is important to clarify that this hack only pertains to the smartphone app and has limited actual impact on the vehicle itself. This app can only control the vehicle alarm, the HVAC system, the lights, and the battery charging schedule. While this app also monitors the status of the vehicle's doors and hood (open/closed), it cannot lock or unlock them.
To be clear, the subject hacking has no effect on the ability of the consumer to safely start and drive the vehicle. Further, the vehicle's immobilizer is unaffected. Accordingly, while the vehicle alarm could be turned off, the vehicle would remain locked and the car could not be started without the smart key remote control device.
While Mitsubishi Motors investigates this issue, it is recommending that any customer who is concerned about this issue should deactivate the vehicle's WiFi using the 'Cancel VIN Registration' option found in the app, or by using the remote app cancellation procedure found in the vehicle's Multi Communication System."