The investigation started when Pen Test Partners security firm’s expert Ken Munro found that the wi-fi access point (which is used to control some of the functions of the car) of a parked Mitsubishi Outlander Hybrid close by was visible on his smartphone.
The car’s wi-fi is used to connect the car to the driver’s smartphone; Munro decided to purchase his own Outlander Hybrid in a bid to investigate.
Munro and his team found that they were not just able to turn off the car’s security alarm, they were able to locate individual Outlander Hybrid models, control various vital functions of the car (including flashing the headlights remotely), tweak the car’s charging settings, and even drain the battery.
Pen Test Partners have said that a short-term fix would be to unpair all mobile devices that have been connected to the wi-fi access point. This can be done by selecting ‘Settings’, then ‘Cancel VIN Registration’ in the Outlander PHEV phone app.
This prompts the wi-fi to 'go to sleep’. In the long term, though, the firm advises that Mitsubishi will need to re-engineer the “rather odd” wi-fi AP client connection method completely.
It’s not just Mitsubishi that uses web-based services such as this one, but commands typically pass through a number of security barriers (servers) before reaching the car. In this case, Mitsubishi’s app is connected straight to the Wi-Fi onboard the car.
When contacted by Autocar, a Mitsubishi spokesman said: "This hacking is a first for us, as no others have been reported anywhere else in the world. We take this matter very seriously and are very much willing to initiate a dialogue between Mr. Munro's team and our own specialists in Japan to better understand & solve the issue."