Issues with its wi-fi system have left the Mitsubishi Outlander plug-in hybrid open to attack from hackers
7 June 2016

The Mitsubishi Outlander PHEV's wi-fi system has been found to have security bugs, leaving the car vulnerable to hackers, researchers have found.

The investigation started when Pen Test Partners security firm’s expert Ken Munro found that the wi-fi access point (which is used to control some of the functions of the car) of a parked Mitsubishi Outlander Hybrid close by was visible on his smartphone.

The car’s wi-fi is used to connect the car to the driver’s smartphone; Munro decided to purchase his own Outlander Hybrid in a bid to investigate.

Munro and his team found that they were not just able to turn off the car’s security alarm, they were able to locate individual Outlander Hybrid models, control various vital functions of the car (including flashing the headlights remotely), tweak the car’s charging settings, and even drain the battery.

Pen Test Partners have said that a short-term fix would be to unpair all mobile devices that have been connected to the wi-fi access point. This can be done by selecting ‘Settings’, then ‘Cancel VIN Registration’ in the Outlander PHEV phone app.

This prompts the wi-fi to 'go to sleep’. In the long term, though, the firm advises that Mitsubishi will need to re-engineer the “rather odd” wi-fi AP client connection method completely.

It’s not just Mitsubishi that uses web-based services such as this one, but commands typically pass through a number of security barriers (servers) before reaching the car. In this case, Mitsubishi’s app is connected straight to the Wi-Fi onboard the car.

When contacted by Autocar, a Mitsubishi spokesman said: "This hacking is a first for us, as no others have been reported anywhere else in the world. We take this matter very seriously and are very much willing to initiate a dialogue between Mr. Munro's team and our own specialists in Japan to better understand & solve the issue."

He added: "Whilst obviously disturbing, this hacking only affects the car's app, therefore with limited effect to the vehicle (alarm, charging, heating), it should be noted that without the remote control device, the car cannot be started and driven away. At this early stage, until further technical investigation, we would recommend our customers to deactivate the wi-fi using the ‘Cancel VIN Registration’ option on the app, or by using the remote app cancellation procedure."

The Mitsubishi Outlander PHEV isn't the first car that's had its software hacked; an ‘attack’ staged on a 2014 Jeep Cherokee led to Fiat Chrysler recalling 1.4million units of the model to perform a software update.

Pen Test Partners added that a medium term fix is currently being worked on.

Car hacking: how cyber security is stepping up 

Danni Bagnall 

Our Verdict

Mitsubishi Outlander PHEV

Top-selling plug-in SUV gets major revisions to styling and suspension as Mitsubishi bids to keep its market advantage

Add your comment

Log in or register to post comments

Find an Autocar car review

Driven this week

  • Volkswagen T-Roc TDI
    First Drive
    19 October 2017
    Volkswagen's new compact crossover has the looks, the engineering and the build quality to be a resounding success, but not with this diesel engine
  • BMW M550i
    First Drive
    19 October 2017
    The all-paw M550i is a fast, effortless mile-muncher, but there's a reason why it won't be sold in the UK
  • Volvo V90
    First Drive
    19 October 2017
    The Volvo V90 is a big estate ploughing its own furrow. We’re about to see if it is refreshing or misguided
  • Kia Stonic
    First Drive
    18 October 2017
    Handsome entrant into the bulging small crossover market has a strong engine and agile handling, but isn’t as comfortable or complete as rivals
  • Hyundai Kona
    First Drive
    18 October 2017
    Hyundai's funky-looking Kona crossover with a peppy three-cylinder engine makes all the right noises for the car to be a success in a crowded segment