2 min read

Lax security means hackers could steal your Mitsubishi Outlander


June 07, 2016

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Lax security means hackers could steal your Mitsubishi Outlander

If you’ve got a Mitsubishi Outlander hybrid electric car then you’ve also got a problem.

Security researchers at Pen Test Partners have discovered that the top-selling family SUV’s security is fatally flawed because of the unusual method that Mitsubishi used to connect the vehicle to its mobile app.

As researcher Ken Munro explains in a YouTube video, the Mitsubishi Outlander is unusual in that it comes with its own wireless access point to connect the owner’s app, rather than communicating via GSM.

“Most remote control apps for locating the car, flashing the headlights, locking it remotely etc. work using a web service. The web service is hosted by the car manufacturer or their service provider. This then connects to the vehicle using GSM to a module on the car. As a result, one can communicate with the vehicle over mobile data from virtually anywhere.”

Munro says he found it easy to crack the pre-shared key used to connect to the car, and his team were able to find a way of cracking the messaging protocol – showing they could force the car to turn on its lights, heating and air conditioning (potentially draining the battery) and even disable the theft alarm.


Source: Pen Test Partners

The fact that the vehicle’s alarm can be disabled is, of course, a considerable concern – especially as the researchers showed they could use the Wi-Fi search engine wigle.net to “easily” geolocate a car and track it. Such an ability is clearly a boon for car thieves.

The researchers informed the car manufacturer of the security flaw in the Mitsubishi Outlander, but initially failed to get a satisfactory response until the BBC took an interest in the issue.

Until a proper fix is available Mitsubishi Outlander owners are advised to unpair any mobile device they have connected to the car’s access point – effectively telling the vehicle’s Wi-Fi module to go into sleep mode. This is done by opening the app, going to “Settings” and selecting “Cancel VIN Registration”.

Mitsubishi has published details of how to delete the registration on this webpage.


This vulnerability is just the latest in a series of security flaws found in vehicles recently. Problems seen have included cars that could have their brakes disabled just by sending an SMS, Jeeps being commandeered remotely, and millions of GM cars vulnerable to remote exploitation via their onboard OnStar dashboard computer.

It’s clear that automobile manufacturers are racing to connect their vehicles to the internet in a bid to appeal to gadget-loving drivers, but that safety and security is not being treated as a priority.

As more and more cars jump on the Internet of Things bandwagon, it’s not just going to be the risk of remote control car theft that we are going to have to worry about. Our own physical safety is going to be an increasing concern too.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like