The Mitsubishi Outlander Hybrid Is Hackable Over WiFi

Mitsubishi may have needed to cut some corners recently, but one odd decision the nice folks of the diamond-star made has left a huge security hole. The 2016 Mitsubishi Outlander PHEV plug-in hybrid’s mobile app talks to the car over regular WiFi, and security researchers found that to be a big problem.


It’s an odd way of connecting a mobile app to a car. Most carmakers have mobile apps that talk to a server on the internet, and the car receives the data and instructions from the server via a GSM module providing a cellular signal.

Illustration for article titled The Mitsubishi Outlander Hybrid Is Hackable Over WiFi

Mitsubishi is using WiFi for their mobile app to communicate with the car, which eliminates the need for an intermediary server and cellular service for the car, but would limit the range of control to just standard WiFi range, which isn’t really all that much.

Pen Test Partners spent some time with the Outlander after noting the unusual method used to connect the car and the app, and got some alarming results.

In addition to the low range, the WiFi solution doesn’t offer much in the way of security. The key to the car’s WiFi network is on a bit of paper in the car’s glovebox, and the WiFi signals can be intercepted and recorded without much effort.

The WiFi key itself is fairly easy to crack, with the Pen Test team cracking it on a relatively modest computer in just a couple days. They determined that anywhere between one and four days should be able to crack the code on modest hardware.

By eavesdropping on the signals between the app and the car, they found a relatively straightforward messaging protocol. They also found that the IP address was static,, and were soon able to turn lights on and off, and control the HVAC system.


Eventually, and most unsettling, they were able to defeat the car’s alarm system remotely. Also unsettling was Mitsubishi’s initial response to the story:

Initial attempts by us to disclose privately to Mitsubishi were greeted with disinterest. We were a bit stumped at this point: As so often happens, the vendor takes no interest and public disclosure becomes an ethical dilemma.

So, we involved the BBC who helped us get their attention. Mitsubishi have since been very responsive to us! They are taking the issue very seriously at the highest levels.

A medium term fix is being worked on now.

The convenience of a mobile app that can access a car’s features is great, and part of me respects Mitsubishi’s clever but flawed attempt to make a cheaper remote-access car app solution without having to deal with a cellular module. But if they’re going to do this kind of thing, they need to take the security seriously.


I’m sure at some point carmakers will finally start taking electronic car security seriously, but it doesn’t appear we’re quite there yet.

(Thanks, Jesse!)

Senior Editor, Jalopnik • Running: 1973 VW Beetle, 2006 Scion xB, 1990 Nissan Pao, 1991 Yugo GV Plus, 2020 Changli EV • Not-so-running: 1977 Dodge Tioga RV (also, buy my book!:



I’m honestly surprised that Chevy keeps touting how all their cars have wifi when “hacking cars” is such a hot button issue right now. I imagine having that wifi makes it 100x easier for some random computer geek to access your car remotely.

PS: I absolutely despise all the "focus group" Chevy commercials right now. Clearly not a single one of those people has ever seen a nice car before or has an IQ over 70.