Security expert buys a Mitsubishi Outlander Hybrid to confirm Wi-Fi vulnerability

2016 Mitsubishi Outlander Sport
Connected car security concerns have become and will continue to be “a thing.” The latest issue, and one that deserves immediate notice, is about the Mitsubishi Outlander Hybrid SUV. A British security expert discovered a vulnerability in the Outlander’s onboard Wi-Fi almost by accident while waiting to pick up his kids after school, according to BBC News. As a result of his report and a demo to Mitsubishi, the company has advised owners to disable Wi-Fi in their vehicles until it figures out a fix.

Ken Munro was in his car when he noticed a Wi-Fi access point from a friend’s nearby Outlander. When Munro asked about it his friend explained how the system worked and what he could do with it from his cell phone. Munro tried the app and quickly found a troublesome vulnerability. So he got out of the app immediately.

What Munro did next isn’t what you would likely do, but he promptly bought an Outlander and took it to his company to check out the problem. What may seem like an overly cautious (not to mention expensive) reaction to a Wi-Fi weakness resulted in the manufacturer acknowledging the potential problem and recommending owners stop using Wi-Fi by de-registering their access points.

The issue Munro found was that remote commands sent to the Outlander go directly to the car’s access point, not through a third-party web server, which is the practice with most carmakers. Second, the access point name was distinct and could easily end up on websites that collect and display nearby access points. Munro and his colleagues used unnamed but “well-known techniques that let the researchers interpose themselves between car and owner and watch data as it flowed between the two.”

With access to the car’s system, anyone could flash the lights, drain the battery, and change other settings. The most disturbing finding, however, was the ability to disable the car’s alarm system. This could give thieves a chance to break in to steal the car’s contents, components, and possibly even the car itself.

Related: Driverless cars could be used for assassination, says Attorney General

“This hacking,” Mitsubishi acknowledged in a statement released to BBC News, “is a first for us as no other has been reported anywhere else in the world.” Mitsubishi recommended owners cancel the access point VIN registration via the smartphone app or with the car’s remote.

If you own a Mitsubishi Outlander Hybrid, there are three steps to be followed in order to delete the VIN registration. First, turn on the hazard lights. Second, within 30 seconds, and with the doors closed, press the Lock/Unlock button on the remote 10 times. That will put you in registration delete mode. Wait for the beeping to stop — if the system is registered there will be one beep with an additional beep for each device registered with the access point, so just wait. Then, within 5 minutes, and again with the doors closed and using the car remote, press the Lock/Unlock button 20 times. Those steps will de-register your car’s Wi-Fi system. Then wait until you get word that it’s OK to register it again after Mitsubishi figures out a solution.

This hasn’t been a great year for Mitsubishi with its admission of fuel economy test cheating and resulting slower sales. Hopefully, the company can resolve the Wi-Fi security issue quickly.


Road Rave: Taking the guesswork out of public EV charging stations

Public EV charging stations are in their wild west phase: there are many different companies, variable charging speeds, and different formats. Chargeway wants to make it all easy, and put every charging station on a free app. It just might…
Emerging Tech

Body surrogate robot helps people with motor impairments care for themselves

A team from Georgia Tech has come up with an assistant robot to help people who have severe motor impairments to perform tasks like shaving, brushing their hair, or drinking water.
Movies & TV

The best movies on Netflix in March, from Buster Scruggs to Roma

Save yourself from hours wasted scrolling through Netflix's massive library by checking out our picks for the streamer's best movies available right now, whether you're into explosive action, witty humor, or anything else.

How to find a lost phone, whether it's Android, iPhone, or any other kind

Need to know how to find a lost phone? We have a simple guide right here that will help you to locate your lost or stolen phone using both native and third-party apps and services, whether it’s a smartphone or an older model.

Can electric cars be S3XY? Tesla says yes with the new Model Y crossover

Tesla introduced a crossover named Model Y at its design studio in Los Angeles. It's a more spacious alternative to the Model 3 it shares 75 percent of its parts with, and is a smaller sibling to the Model X.

Adventurous and electric, Porsche’s second station wagon will arrive in 2020

The Mission E Cross Turismo concept Porsche unveiled during the 2018 Geneva Auto Show will morph into a production model tentatively named Taycan Cross Turismo. This 600-horsepower electric station wagon will arrive in showrooms by 2021.

Automakers are spending billions on self-driving technology people are afraid of

Automakers are spending billions of dollars on developing the technology that will power self-driving cars, but research shows consumers have no interest in giving up control. Will they ever recoup their investment?

Mustang-like and electrified. What did Ford just show a preview of?

Ford posted an enigmatic picture of a blue Mustang emblem on a black background right as Tesla prepared to introduce the Model Y. Is the Blue Oval teasing a hybrid Mustang, or is it previewing a Mustang-inspired, battery-powered crossover?

Amazon and Kia team up to simplify EV home-charging station installs

Kia Motors announced a new program with Amazon for electric vehicles. Customers planning to purchase a new Kia EV or PHEV can check out recommended Level 2 240-volt home charging stations and arrange installation in their homes.

Unrestrained by heritage, Polestar sets its sights on becoming a digital brand

With no heritage to worry about, Polestar is free to move full-speed ahead towards its goal of becoming a digital brand. All of the company's upcoming models will be electric, and they will inaugurate an Android-powered infotainment system.

Audi’s traffic light information system shows the challenges facing V2X tech

Audi’s traffic light information system is among the first commercial applications of potentially game-changing V2X tech. So how does it work in the real world? We spent a few days getting stuck at red lights to find out.
Emerging Tech

Awesome Tech You Can’t Buy Yet: Write music with your voice, make homemade cheese

Check out our roundup of the best new crowdfunding projects and product announcements that hit the web this week. You may not be able to buy this stuff yet, but it sure is fun to gawk!

Fisker plans sub-$40,000 electric SUV with 300 miles of range for 2021

Fisker Inc. plans to launch an electric SUV with a base price of under $40,000, and a range of around 300 miles in 2021. The unnamed vehicle could compete with the Tesla Model Y, if it ever gets into production.

Tesla gives us a cryptic look at its cyberpunk, Blade Runner-inspired pickup

Tesla has started designing its long-promised pickup truck. The yet-unnamed model will come with dual-motor all-wheel drive and lots of torque, plus it will be able to park itself. It could make its debut in 2019.