Hackers crack Mitsubishis high-tech SUV

UPDATE: Mitsubishi Australia has told owners to turn off internet connectivity in its flagship plug-in petrol-electric hybrid after one was hacked using nothing but a laptop computer.

Mitsubishi Outlander PHEV

MITSUBISHI Australia has recommended owners of its Outlander PHEV plug-in petrol-electric SUV turn off the vehicle's wireless internet hub after hackers broke into one using nothing but a laptop computer.

The hack, revealed overnight, has found security breaches in the software used to allow owners to remotely control functions of the Outlander PHEV, British software security group Pen Test Partners said.

“Some of them [the hacks] are just funny, but some of them actually really are quite nasty,” online security researcher Ken Munro said in a video posted on the company’s website showing how the hacks worked.

What concerned the hackers was that unlike other remote access applications, which used the relatively secure mobile phone network to link an owner’s smartphone to the car, the Mitsubishi Outlander PHEV used an on-board wireless network that the researchers could easily access.

This, combined with a relatively insecure electronic key linking the owner’s software with the car, “just isn’t enough”, Munro said – even though he admitted that with basic key-cracking software it would take at least four days to work out what it was.

658_Mitsubishi _Outlander _PHEV_smartphone

However, for about £1000, or the equivalent of $2000, hackers could have the key “almost instantaneously”, he said.

Once in control, hackers can turn on the car’s lights, play with the heating and cooling, turn off the alarm and open the doors, and even search for a victim using wireless network sniffing tools. At worst, though, hackers can only flatten the car's batteries, although the ability to disable the alarm means breaking into or stealing the $47,490 plug-in hybrid is easier.

Since the hackers revealed their findings, Mitsubishi said it was working on a solution to the problem.

Mitsubishi Australia said Outlander PHEVs sold here did have the same app-based system as the one that was hacked.

"Our counterparts in Europe have recommended that, at this early stage and until further technical investigation, customers who are concerned about their vehicle should deactivate the WiFi using the ‘Cancel VIN Registration’ option on the app, or by using the remote app cancellation procedure," Mitsubishi Australia spokesman Shayna Welsh told Wheels.

"In the meantime, the hacking is a first for Mitsubishi Motors as none other has been reported anywhere else in the world."

Mitsubishi’s connected car woes follow on from an Australian hacker who in February revealed he was able to take control of any Nissan Leaf in the world – from a deckchair beside his pool – using a smartphone app that was meant to remotely link owners with the world’s best-selling electric car.

The security breach forced Nissan to take the Leaf’s internet-based owner’s access offline while it plugged the security gap.

Similarly, a group of US hackers was able to remotely break into a Jeep Cherokee and wrestle control away from the driver, playing with the brakes and accelerator while it was moving.

Online security researchers have also flagged the increasing use of keyless entry and start systems on cars as another potential open door for hackers to gain access to vehicles.


How are you finding our new site design? Tell us in the comments below or send us your thoughts at feedback@whichcar.com.au.


Subscribe to Wheels magazine

Subscribe to Wheels Magazine and save up to 44%
Get your monthly fix of news, reviews and stories on the greatest cars and minds in the automotive world.



Barry Park

We recommend


Stelvio Veloce

Alfa Romeo completes Aussie Stelvio line-up with Veloce SUV

a day ago
Kathryn Fisk
Please enable JavaScript to view the comments powered by Disqus.