By eavesdropping on the signals between the app and the car, they found a relatively straightforward messaging protocol. They also found that the IP address was static,, and were soon able to turn lights on and off, and control the HVAC system.


Eventually, and most unsettling, they were able to defeat the car’s alarm system remotely. Also unsettling was Mitsubishi’s initial response to the story:

Initial attempts by us to disclose privately to Mitsubishi were greeted with disinterest. We were a bit stumped at this point: As so often happens, the vendor takes no interest and public disclosure becomes an ethical dilemma.

So, we involved the BBC who helped us get their attention. Mitsubishi have since been very responsive to us! They are taking the issue very seriously at the highest levels.

A medium term fix is being worked on now.

The convenience of a mobile app that can access a car’s features is great, and part of me respects Mitsubishi’s clever but flawed attempt to make a cheaper remote-access car app solution without having to deal with a cellular module. But if they’re going to do this kind of thing, they need to take the security seriously.


I’m sure at some point carmakers will finally start taking electronic car security seriously, but it doesn’t appear we’re quite there yet.

(Thanks, Jesse!)