The latest version of the Mitsubishi Outlander PHEV, their hybrid edition of the new compact SUV, is proving to be an easy target for hackers. You’re, apparently, easily able to connect to it, hack it and manipulate the hybrid vehicle, even going so far as to being able to turn off the alarm.
Hacking the Outlander is a a bit of a warning about the future of connected cars
The vehicle itself can be controlled remotely over WiFi, not the usual Bluetooth, RF or the satellite GSM methods that most manufacturers seem to traditionally use. WiFi is also an easier medium to connect to by those with nefarious intent. There are plenty of common tools available, and the knowledge to create your own is also quite plentiful, so the dangers are nearly inherent and expected.
It seems that the initial password, or pre-shared key, is written down in the owners manual and isn’t very complex. It’s a simple 7-digit password that doesn’t even use unique characters. PenTestPartners was able to brute-force their way to the password within four days with a small dedicated GPU password cracking rig. With more compute power, you could easily find the initial password within hours, even minutes. That’s highly insecure.
Connecting wasn’t that hard either, with the unique SSID that’s not hidden and very easy to access. Once found, they sent a series of messages to figure out how it communicated with the various systems, and simply replayed various messages from the mobile app. They were able to very easily turn-on or off the AC, unlock the car and even turn off the alarm. All very easily with very little effort.
It’s incredibly convenient to be able to interact with your car with your phone or other remote device. But being able to do so means that anyone else with the will and knowledge can also do so. Hacking cars isn’t new, and even older models can be surreptitiously controlled via Blutooth or even through the physical (thought that’s a daring way to do it) hacking of the in-car network. They’re insecure and could pose a significant security threat in the future. Though they did put in a measure of security, more needs to be done when asking the vehicle to do things, more authentication and perhaps even a much more secure initial password. It’s likely that people won’t change it, because why would you?
In the meantime, if you happen to be an owner of a Mitsubishi Outlander PHEV, you can go into the settings of the mobile app and select the “Cancel VIN Registration” option in order to unpair all WiFi devices, which will mitigate and prevent anyone from getting access to your car. You’ll have to ask yourself if the risk is worth the reward in this case.