Issues with its wi-fi system have left the Mitsubishi Outlander plug-in hybrid open to attack from hackers
7 June 2016

The Mitsubishi Outlander PHEV's wi-fi system has been found to have security bugs, leaving the car vulnerable to hackers, researchers have found.

The investigation started when Pen Test Partners security firm’s expert Ken Munro found that the wi-fi access point (which is used to control some of the functions of the car) of a parked Mitsubishi Outlander Hybrid close by was visible on his smartphone.

The car’s wi-fi is used to connect the car to the driver’s smartphone; Munro decided to purchase his own Outlander Hybrid in a bid to investigate.

Munro and his team found that they were not just able to turn off the car’s security alarm, they were able to locate individual Outlander Hybrid models, control various vital functions of the car (including flashing the headlights remotely), tweak the car’s charging settings, and even drain the battery.

Pen Test Partners have said that a short-term fix would be to unpair all mobile devices that have been connected to the wi-fi access point. This can be done by selecting ‘Settings’, then ‘Cancel VIN Registration’ in the Outlander PHEV phone app.

This prompts the wi-fi to 'go to sleep’. In the long term, though, the firm advises that Mitsubishi will need to re-engineer the “rather odd” wi-fi AP client connection method completely.

It’s not just Mitsubishi that uses web-based services such as this one, but commands typically pass through a number of security barriers (servers) before reaching the car. In this case, Mitsubishi’s app is connected straight to the Wi-Fi onboard the car.

When contacted by Autocar, a Mitsubishi spokesman said: "This hacking is a first for us, as no others have been reported anywhere else in the world. We take this matter very seriously and are very much willing to initiate a dialogue between Mr. Munro's team and our own specialists in Japan to better understand & solve the issue."

He added: "Whilst obviously disturbing, this hacking only affects the car's app, therefore with limited effect to the vehicle (alarm, charging, heating), it should be noted that without the remote control device, the car cannot be started and driven away. At this early stage, until further technical investigation, we would recommend our customers to deactivate the wi-fi using the ‘Cancel VIN Registration’ option on the app, or by using the remote app cancellation procedure."

The Mitsubishi Outlander PHEV isn't the first car that's had its software hacked; an ‘attack’ staged on a 2014 Jeep Cherokee led to Fiat Chrysler recalling 1.4million units of the model to perform a software update.

Pen Test Partners added that a medium term fix is currently being worked on.

Car hacking: how cyber security is stepping up 

Danni Bagnall 

Our Verdict

Mitsubishi Outlander PHEV

Top-selling plug-in SUV gets major revisions to styling and suspension as Mitsubishi bids to keep its market advantage

Add your comment

Log in or register to post comments

Find an Autocar car review

Driven this week

  • Range Rover Sport SVR
    First Drive
    22 March 2018
    More power and an intoxicating soundtrack have breathed new life into our love affair with the biggest, baddest Range Rover Sport variant
  • First Drive
    21 March 2018
    The new Vantage has been developed as a Porsche 911 beater, and our first taste on UK roads suggests it can live up to that bold claim
  • Nissan Leaf Tekna
    The is the new Nissan Leaf
    First Drive
    21 March 2018
    The new version of the world's best-selling electric car gains a bigger battery and more power. How does it compare to rivals such as the Volkswagen e-Golf?
  • Range Rover p400e
    First Drive
    20 March 2018
    The original luxury SUV is now available as a plug-in hybrid, promising lower emissions and the capacity for silent electric motoring
  • BMW i3s
    Car review
    20 March 2018
    Revised hatchback sets out its range-extended electric stall in a new, sportier tune