The investigation started when Pen Test Partners security firm’s expert Ken Munro found that the wi-fi access point (which is used to control some of the functions of the car) of a parked Mitsubishi Outlander Hybrid close by was visible on his smartphone.
The car’s wi-fi is used to connect the car to the driver’s smartphone; Munro decided to purchase his own Outlander Hybrid in a bid to investigate.
Munro and his team found that they were not just able to turn off the car’s security alarm, they were able to locate individual Outlander Hybrid models, control various vital functions of the car (including flashing the headlights remotely), tweak the car’s charging settings, and even drain the battery.
Pen Test Partners have said that a short-term fix would be to unpair all mobile devices that have been connected to the wi-fi access point. This can be done by selecting ‘Settings’, then ‘Cancel VIN Registration’ in the Outlander PHEV phone app.
This prompts the wi-fi to 'go to sleep’. In the long term, though, the firm advises that Mitsubishi will need to re-engineer the “rather odd” wi-fi AP client connection method completely.
It’s not just Mitsubishi that uses web-based services such as this one, but commands typically pass through a number of security barriers (servers) before reaching the car. In this case, Mitsubishi’s app is connected straight to the Wi-Fi onboard the car.
When contacted by Autocar, a Mitsubishi spokesman said: "This hacking is a first for us, as no others have been reported anywhere else in the world. We take this matter very seriously and are very much willing to initiate a dialogue between Mr. Munro's team and our own specialists in Japan to better understand & solve the issue."
He added: "Whilst obviously disturbing, this hacking only affects the car's app, therefore with limited effect to the vehicle (alarm, charging, heating), it should be noted that without the remote control device, the car cannot be started and driven away. At this early stage, until further technical investigation, we would recommend our customers to deactivate the wi-fi using the ‘Cancel VIN Registration’ option on the app, or by using the remote app cancellation procedure."
The Mitsubishi Outlander PHEV isn't the first car that's had its software hacked; an ‘attack’ staged on a 2014 Jeep Cherokee led to Fiat Chrysler recalling 1.4million units of the model to perform a software update.
Pen Test Partners added that a medium term fix is currently being worked on.