The Mitsubishi Outlander Is Totally Hackable
And the SUV's app integration means a computer could track them from anywhere
Researchers have found that yet another vehicle—this time, the Mitsubishi Outlander, a plug-in electric hybrid (or PHEV)—is terribly vulnerable to hackers.
It’s thanks to the fact that the car is designed to interact with a user’s iPhone or Android app to accomplish some basic functions, like disabling a wailing alarm. This interaction is based on a ten-digit code that Pen Test Partners, a cybersecurity research firm, was able to figure out after four days of systemized guessing, though they say it would take far less time with more computing power. Once they’d connected with the car, researchers were able to easily disable its alarm.
And it doesn’t stop there. Because each car contains its own Wi-Fi access point, and each follows a specific standard pattern for their assigned SSIDs—a unique identifier for a Wi-Fi network—it’s not hard for a hacker to locate Outlander PHEVs all over the world with sites that visualize SSIDs’ locations. Pen Test Partners were able to successfully guess the locations of other PHEVs, so in theory, enterprising criminals could simply track down an Outlander in order to break in and perhaps steal it.
Ever since researchers disabled a Wired reporter’s Jeep while he was driving on the highway in 2015, reports of car hacking have skyrocketed, prompting warnings from the FBI and congressional calls to study how to improve industry cybersecurity. But that industry seems reluctant to accept it as a real danger. Pen Test Partners said multiple messages to Mitsubishi went unanswered until after the BBC did a story on its findings.
The Outlander PHEV is widely sold in Europe and Asia, but isn’t scheduled to be introduced to the U.S. until 2017, a Mitsubishi representative told Vocativ. When asked whether the company would address the cybersecurity flaws Pen Test Partners found, the representative said “I really have no idea.”