Researchers wirelessly hack Mitsubishi Outlander Hybrid SUV, turn off anti-theft alarm

Security researchers discovered several vulnerabilities in the Mitsubishi Outlander Hybrid SUV, including being able to disable the anti-theft alarm from a laptop

hacking Mitsubishi Outlander Plug-In Hybrid
Pen Test Partners

Security researcher Ken Munro of Pen Test Partners hacked the Mitsubishi Outlander plug-in hybrid electric vehicle (PHEV). He discovered several vulnerabilities, including being able to disable the anti-theft alarm from a laptop.

U.S. drivers may be unfamiliar with the vehicle. Had Mitsubishi Outlander Plug-In Hybrid sales started in 2013 as originally proposed, it would have been the first plug-in hybrid SUV available in the U.S. But it didn't. The 2017 model is expected to hit showrooms late this fall, with an estimated $42,000 as a base price. In the U.K., it is the “bestselling hybrid.”

Unlike most remote control apps for cars that use GSM to communicate, the Mitsubishi Outlander PHEV has a wireless access point on the SUV. To use the app, you must disconnect from any other Wi-Fi and connect to the SUV’s AP. Although that might have been a cheaper solution for the car manufacturer, Munro said the system has not been implemented securely.

Mitsubishi Outlander Hybrid PHEV app Mitsubishi Motors

Example of the Mitsubishi Outlander Hybrid PHEV app. The "hack" was done with a laptop, not the app.

The SUV’s AP has a unique SSID, in the format of “[REMOTEnnaaaa] where ‘n’ are numbers and ‘a’ are lower case letters,” making it easy for a site like Wireless Geographic Logging Engine (WiGLE) to track the location of the vehicles. Put another way, Munro said, “A thief or hacker can therefore easily locate a car that is of interest to them.”

In the Mitsubishi Outlander hack video, Munro said some of the vulnerabilities are “funny” but others are “really quite nasty.”

mitsubishi outlander phev app Mitsubishi Motors

The PSK is too short and cannot be changed. Pen Test Partners used a relatively low-powered rig and cracked the key to a SUV that cost them about $60,000 in a mere four days. Crank up the cracking power, such as using a cloud service, and it would take considerably less time – about a day or so.

The researchers then launched a MiTM (man-in-the-middle) attack to check the security between the phone and the SUV. They discovered they could “take control of many functions of the car with nothing more than a computer.”

Without using the app, they could control the lights, control “pre-cooling” and “pre-heating” to drain the charge, and otherwise tweak the charging schedule. But those are relatively minor things when compared using a laptop and replay attack to disable the anti-theft alarm and unlock the doors.

Once the SUV is unlocked, an attacker can access the OBD-II (on-board diagnostic) port, and “that’s where you can really start messing around with the car’s systems,” Munro said. Although they didn’t try it, the researchers mentioned how BMW’s OBD-II port can be “used to code new keys for the car.”

“If I was a thief,” Munro said, “I would geo-locate it, using resources like WiGLE; I’d find your car … crack your Wi-Fi key.” Then “I’d send the code required to disable the alarm from a laptop – or maybe a hacked mobile device.” After that, a thief could jimmy the door or smash the window to “reach inside, unlock” and open the door, and then “access the OBD port inside. I’ve potentially got your car.”

Mitsubishi’s response

Mitsubishi was reportedly “disinterested” when the researchers attempted to privately disclose the flaws. That changed, however, once the BBC got involved.

After Mitsubishi was given a demonstration of the hack on June 3, the company said, “This hacking is a first for us, as no other has been reported anywhere else in the world.” Mitsubishi then seemed to downplay the vulnerability, telling the BBC, “It should be noted that without the remote control device, the car cannot be started and driven away.”

The short-term solution proposed by the car manufacturer is for owners to deactivate the “onboard Wi-Fi via the ‘cancel VIN Registration’ option on the app or by using the remote app cancellation procedure.” Munro said to do it unless you want someone to come along and potentially “pinch” your car.

Munro wishes Mitsubishi would take the vulnerabilities more seriously. He suggested to the BBC, “New firmware should be deployed urgently to fix this problem properly, so the mobile app can still be used.”

On Pen Test Partners, Munro said Mitsubishi needed to re-engineer the “odd Wi-Fi AP.” A GSM module/web service would be better yet. For the long term fix, Munro said, “words like ‘recall’ spring to mind.”

New! Download the State of Cybercrime 2017 report