The Mitsubishi Outlander, a plug-in hybrid vehicle with an electric motor and petrol engine, can easily be hacked through a smartphone app intended to help owners pre-heat the cabin and manage its charging schedule.
The app connects to the car over its Wi-Fi network, and not via a mobile connection to the manufacturer's server, as is the case with other connected vehicles. This, and its relatively simple default password, makes it easy to hack, according to security researchers from Pen Test Partners.
Security expert Ken Munro discovered the poor security after spotting the Wi-Fi network of a nearby Mitsubishi Outlander appear on his smartphone.
He bought an Outlander to investigate further and found the car's charging schedule can be tampered with, leaving it with an empty battery. Much worse, however is how the car's alarm system can be remotely disabled.
Without any physical access to the car, Munro and his team were able to hack the Wi-Fi password in four days using a "relatively slow" computer. Munro said a more powerful computer could have taken one day, while £1,000 worth of cloud computing would have cracked the code "almost instantaneously." Once he had the code, he could use a laptop to interact with the nearby car and send it instructions.
In the above video posted to YouTube, Munro then demonstrated how he could remotely disable the alarm, then reach in through an open window, unlock the car and get inside. Even if the window was smashed to gain entry, the alarm would not sound. Munro then suggests a thief could start the car by hacking its universal diagnostics port on the dashboard, a common way for modern cars to be stolen.
"This is shocking and should not be possible," Munro said in a blog post on the Pen Test Partners website, before adding that he had spoken to Mitsubishi and its UK press office twice about the security vulnerability. "Their response was they didn't think it was an issue, which really perplexes us and that's why we're recording and sharing our findings...we feel Mitsubishi should be taking this a lot more seriously than they have...I really don't think this approach to security is acceptable." Munro added.
However, in an interview with the BBC published three days after presenting his findings to Mitsubishi, Munro said he had been "impressed" with how the car maker was exploring the bug and seeking ways to fix it. The information is also being passed to Mitsubishi engineers in its native Japan. It is understood a fix is now being developed, but in the meantime Munro urges all Outlander owners to unpair the app from their car by switching off 'VIN registration', which sends the car's Wi-Fi network into a sleep mode.