Mitsubishi Outlander Plug-in Hybrid Has Security Flaw That Means Hackers Can Locate, Unlock, Steal Your Car

When it comes to electric and plug-in hybrid cars, having some form of remote telematics system has become something of the expected norm for both customers and automakers. Operating via either an always-on Internet connection built into the car or a less-sophisticated SMS-based messaging system between car and automaker data center, remote telematics allow owners of modern electric and plug-in hybrid cars to carry out a range of functions from setting the navigation system and checking on the state of charge to unlocking the doors and setting the climate control.

But as regulars to the site and those with more than a passing interest in computers will know, any time you give a car any form of network connection you increase the risk that it becomes the target of high-tech ne’erdowells. How easily that target can be exploited depends on how well the system is designed, what type of connection it uses to either the Internet or your cellphone, and what type of security protocols are used. And while most major automakers are accomplished when it comes to making cars that we want to own and drive, it turns out that they’re not very good at IT security.

There's a disturbing new security exploit for the Mitsubishi Outlander PHEV's telematics.

There’s a disturbing new security exploit for the Mitsubishi Outlander PHEV’s telematics.

Already this year, we’ve seen exploits discovered (and now patched) in the NissanConnect EV telematics system used for the Nissan LEAF and Nissan e-NV200 electric vehicles. In previous years, we’ve seen remote telematics plug-in car security exploits detailed for the Tesla Model S, GM OnStar, and BMW’s ConnectedDrive system, all of which have now been hacked.

Now we can add another car to the list of exploited plug-in cars: the highly popular Mitsubishi Outlander Plug-in Hybrid.

With an easily-hacked WiFi access point, criminals can easily gain entry to the PHEV.

With an easily-hacked WiFi access point, criminals can easily gain entry to the PHEV.

The news comes courtesy of computer security consultants Pen Test Partners, which discovered a series of major security flaws with the way in which the Outlander Plug-in Hybrid communicates to its partner smartphone app. Flaws which could, if exploited correctly, could make it easy for tech-savvy thieves to not only gain access to the interior of a car but by association, gain access to the car’s onboard diagnostics system, making it possible to steal the car even without the appropriate key.

As detailed in an extensive blog on its website, the hack involves the reasonably insecure connection made between the car and its owner’s smartphone which relies on not a 3G cellular data connection as every other plug-in car on the market today but a limited-range WiFi connection. With the right equipment, says Pen Test Partners expert Ken Munro — whose Mitsubishi Outlander Plug-in Hybrid was used to demonstrate the exploit to the BBC’s Rory Cellan-Jones earlier today — a steal-to-order car thief could gain entry to almost any Outlander Plug-in Hybrid almost instantaneously, using the exploit to switch off the car’s alarm, unlock the car and, after a short pause to program a new key, drive away.

The exploit itself comes from the fact that Mitsubishi chose to use WiFi as its preferred method of connection to the car rather than a cellular data connection. While cheaper due to no requirement for a data subscription, the system is far less secure than a cellular data connection because each car is only as secure as the the wireless access point in each car.

Security researchers call the exploit "shocking and should not be possible".

Security researchers call the exploit “shocking and should not be possible”.

Sadly, while each Outlander Plug-in Hybrid has a unique SSID (network name) for its ad-hoc WiFi network and a unique password, the SSID follows an easily identifiable format: [REMOTEnnaaaa] where ‘n’ are numbers and ‘a’ are lower-case letters. With the target network identified, it was a reasonably easy process to brute-force the password for the network in question. While Pen Test Partners said it took a few days to brute-force the password for Munro’s car using a single computer and some easily obtainable hacking tools, the company also notes that with around £1,000 of cloud computing power (something companies like Amazon will happily sell on a per-use basis) the WiFi access point in the car can be cracked almost instantaneously.

Once the password has been obtained, it’s possible to then connect a mobile telephone or computer directly to the car’s on-board access point and consequently, gain access to the car’s on-board systems, assuming the car has already been paired once with Mitsubishi’s smartphone Outlander PHEV app. While it took Pen Test Partners some extra work to reverse-engineer the ports and syntax of the insecure protocol used to communicate between car and smartphone, they were soon able to send commands to Munro’s Outlander PHEV to switch on and off the lights, as well as charging and climate control commands too.

But perhaps the most shocking discovery was that while Mitsubishi’s app doesn’t allow locking and unlocking of doors it does make it possible to activate and deactivate the car’s alarm remotely. With the right command, Munro and his team were able to deactivate his car’s alarm system, making it possible for an attacker to either break the window glass or force a door without triggering an alarm.

Then, once inside the car Munro says, criminals have easy access to the car’s on-board diagnostics (ODBII) port. Armed with an simple ODBII interface, a new blank key could then be coded to work with the car’s security system, making it possible to drive the now broken-into car away within a few minutes, a technique now popular among high-tech car thieves.

Steal-to-order teams could easily steal this car, say researchers.

Steal-to-order teams could easily steal this car, say researchers.

If that sounds like a lot of work, it is. Especially for an opportunist thief. But thanks to online projects like — which log and show hundreds of thousands of WiFi access points around the world — it’s reasonably easy for theives who know what to look for to locate vulnerable Outlander PHEV models from miles away. And with high-end Outlander PHEVs worth upwards of £40,000 new, investing even £1,000 on the computer power needed to crack the WiFi access point password and gain access to parked car is a worthwhile expense to the career car thief.

Pen Test Partners says it reached out to Mitsubishi some time ago with information about the security flaw it discovered, but did not receive much interest from the automaker about patching it. Consequently, it has published the basic details of the flaw online, alongside a proposed short-term fix for any concerned owners: disconnection of any associated cellphones to the car’s access point, along with cancellation of VIN registration on all associated phones.

With the alarm disabled, anything is possible.

With the alarm disabled, anything is possible.

First, go to the car and connect your mobile phone to the access point on the car. Then, using the app, go to ‘Settings’ and select ‘Cancel VIN Registration’,” the company instructs concerned owners on its blog. “Once all paired devices are unpaired, the Wi-Fi module will effectively go to sleep. It cannot be powered up again until the car key remote is pressed ten times. A nice security feature.

“This has the side effect of rendering the mobile app useless, but at least it fixes the security problem,” it continues. 

For a mid-term fix, it suggests Mitsubishi rolls out a new firmware update to the car, and for longer-term fixes, a switch to the same cellular-style telematics systems used by other automakers is strongly advocated. And while the risk to Outlander Plug-in Hybrids in the wild will depend somewhat on where you live and where you keep your car at night, we’d advocate disconnecting from the app as suggested until a more permanent fix is devised.

As for Mitsubishi? We reached out to Mitsubishi UK this morning for comment, and the following statement was sent return of mail.

  •     This hacking is a first for us as none other has been reported anywhere else in the world
  •     We take this matter very seriously and are very much willing to initiate a dialogue between Mr. Munro’s team and our own specialists in Japan to better understand & solve the issue
  •    Whilst obviously disturbing, this hacking only affects the car’s app, therefore with limited effect to the vehicle (alarm, charging, heating) – it should be noted that without the remote control device, the car cannot be started and driven away.
  •     At this early stage, until further technical investigation, we would recommend our customers to deactivate the WiFi using the ‘Cancel VIN Registration’ option on the app, or by using the remote app cancellation procedure

While Mitsubishi hasn’t yet launched the Outlander PHEV in the U.S., it’s an extremely popular car in Europe, where it has outsold the Nissan LEAF in some countries.

Do you have a Mitsubishi Outlander PHEV? Does this news concern you? Or do you not use the app anyway? And how do you feel Mitsubishi should handle the situation moving forward?

Leave your thoughts in the Comments below.


Want to keep up with the latest news in evolving transport? Don’t forget to follow Transport Evolved on Twitter, like us on Facebook and G+, and subscribe to our YouTube channel.

You can also support us directly as a monthly supporting member by visiting

Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInDigg thisShare on RedditEmail this to someonePin on Pinterest

Related News

  • Martin Lacey


  • KIMS

    Funny how they respond so quickly to media, but did not show the same interest when the team originally approach them prior to making this information public.

    I also like how they try to downplay how serious it is.

  • CDspeed

    If this were Tesla it would be on every news site across the internet, and call their quality into question. But because it’s just Mitsubishi, this is the first I’ve heard about this.

    • Well, the story only broke yesterday, so we covered it the same day… 🙂

      • Joe Viocoe

        Still doubt it would get much traction in the days to come. Tesla tends to stay in the news.

  • vdiv

    I’ll take it with the flaw and let insurance deal with its disappearance 😉

  • Brock Nanson

    It’s perhaps somewhat disingenuous to include Tesla in the list of ‘hacked cars’. Correct me if I’m wrong, but wasn’t it necessary to physically connect to the car first? And even then, the black hat gained very little… doors, windows, suspension and the ability to shut the car down ‘at low speed’. The vulnerability was patched almost instantly and as far as I know, it didn’t allow the car to be driven away. A thief would find it easier to hotwire a regular car. This perhaps illustrates the Silicon Valley approach to Tesla’s cars – they have more than a vague understanding of digital security.

    A good article on this is here:

  • richard butler

    Nikki, this reads more like Clickbait than your usualy sensible interpretation of technobable into layperson speak.

    I am an independant I.T. contractor/consultant, I design, install and support servers, networks and firewalls for customers.
    I got my Outlander PHEV exactly one year ago.

    From what I’ve seen so far, all that the man from “Pen Testing” has shown is that the app does not use any security, instead it relies on the SSID and WPA2 pre-shared key, each of which are unique for each car, but the password is only 8 or 9 or 10 Alpha numberic digits (I will need to find the bit of paper in the owners manual) so there are only a limited number of combinations. (similar to the number of grains of sand in the sandpit at a kiddies playground)

    The app then uses standard TCP/IP to talk some proprietory language to the car, which Pen Testing have managed to “snoop” on the packets, probably by pushing the button on the app and seeing what passes over the network, and then replaying them later, just like the app does.
    On my phone app, I don’t see an option to disable the alarm, so I guess Pen testing have experimented by making up their own commands to send to the car to see what happens, and they must have found one that turns the alarm off.
    No where have I seen anything that says they can lock or unlock the doors, program a new key, start the car, or anything else as worrying as the first part of your item suggests. And nothing about locating the car.

    Last year, when I was looking at which “green car” I was going to buy, I was a bit disappointed that Mitsubishi had chosen to do the phone app “on the cheap” by putting a WiFi access point in the car insted of doing the full 3G stuff and having some central servers.
    The Pen Testing man suggests that is a better way to go, but l last year Nissan demonstrated how badly that could be done, when anyone could read the VIN number through the windscreen, and manually create a URL that allowed them to do stuff to any leaf on the planet.
    good job that has been fixed now!

    I only use the outlander app for one function, in winter, if I’m going to visit a customer that morning, and there is ice on the car. I push the button to clear the windows before I go in the shower.
    This security issue hasn’t worried me enought that I need to turn the WiFi off yet. But I might change the SSID to something prettier.

    While this security issue does deserve to be looked at, and perhaps Mitsubishi need to do an update to make the key stronger, so it takes weeks or months to crack instead of days, I don’t believe it is anywhere as bad as your item makes it out to be.
    (number of grains of sand on a beach? or a coast line? or stars in the universe?)

    Your item is even more frightening than the dumbed down version that the daily mail did for their readers.

    I think one of my favorite technical web sites explained it quite well
    becuase it does say after being parked next to the card for 4 days, in a camper van, with a decent internet connection, and only a few thousand pounds worth of equipment, and 10 years of hacking experience, they can turn the alarm off.
    you still need a brick to go through the window, or a crow bar to get into the car, and you still can’t drive it away, not until someone else works out something like how they used the ODBC port to program a new key like they did with the BMWs 10 years ago, which they fixed 5 years ago.

Content Copyright (c) 2016 Transport Evolved LLC