The Mitsubishi Outlander PHEV suffers from a significant loophole that allows hackers to control the car, researchers say, and all they need is a Wi-Fi password.
Security experts Pen Test Partners found that the vulnerabilities in the plug-in hybrid SUV can also be exploited to allow thieves to break into the vehicle and steal it, or to remotely drain its battery.
The loophole stems from a mobile app for the car that communicates with it via a short-range Wi-Fi connection, which eliminates the need for an external server or cellular service.
Wi-Fi password in car's glovebox
According to the researchers, the key to the car’s Wi-Fi network is written on a piece of paper in the car’s glovebox, allowing virtually anybody access to the car’s systems.
In addition, Pen Test Partners claim that even without the password the Wi-Fi signal can be intercepted and recorded with little effort and with relatively simple computer hardware.
Once the hackers have successfully connected to the car’s Wi-Fi they can then access commands that allow them to remotely flash the lights, tweak charging settings and drain the battery.
"Obviously disturbing"
Pen Test Partners say that the car’s alarm system can also be remotely turned off, allowing thieves more time to unlock the car, start it via the diagnostics port and then make off with it.
In a statement, Mitsubishi said that it was taking the matter seriously and added: “This hacking is a first for us as no other has been reported anywhere else in the world.”
It added that although the bug was “obviously disturbing”, the hack itself would give attackers limited access to the vehicle’s systems, with more complex hardware required to actually steal it.
Cars vulnerable to hackers
While the loophole is being investigated, Mitsubishi recommended that PHEV owners deactivate the on-board Wi-Fi via the car’s app or by using a remote app cancellation procedure.
The Outlander PHEV is the latest in a series of cars that have been found vulnerable to hackers, with the Jeep Cherokee, Tesla Model S and Nissan LEAF all found to be vulnerable to hackers.
Last year, security researchers staged a startling cyber-attack on the Jeep, which allowed them to take control of the car remotely and which led to 1.4 million recalls for software updates.
