The Mitsubishi Outlander Hybrid PHEV Is Extremely Hackable

Hackers claim to have found a severe vulnerability in the SUV’s smartphone app.

byAaron Brown| PUBLISHED Jun 7, 2016 6:30 PM
The Mitsubishi Outlander Hybrid PHEV Is Extremely Hackable

The issue was brought to light by Pen Test Partners, a firm out of Buckingham, England that specializes in penetration testing and other network security services. Due to of a lack of precautionary security measures in the Outlander's smartphone app, the white hat hackers say, it's possible for an unwanted party to turn the car's lights and air conditioning on and off, mess with the car's charging habits, track the locations of Outlanders, and even disable the alarm system.

The blame lies with Mitsubishi's Wi-Fi-based app connection system. PTP says most cars with mobile apps connect to phones using an Internet-based service, which the automaker hosts on separate servers. The Outlander, though, uses a direct Wi-Fi connection between the car and the driver's smartphone. PTP says it believes the carmaker chose that system for cost reasons...but it also makes hacking into the car's systems that much easier.

PTP says concerned Outlander Hybrid owners can protect their cars by disconnecting every phone from the car's Wi-Fi, then canceling the car's registration in the app itself. In the medium-to-long term, though, the hackers say they strongly believe Mitsubishi should step in and provide a better fix.

In response to these concerns, Mitsubishi issued the following statement to The Drive, suggesting that any worried owners should follow the instructions outlined by PTP.

Mitsubishi Motors is focused on the safety and security of its vehicles. This is the first reported incident of hacking involving any Mitsubishi vehicle to date. While Mitsubishi Motors is working diligently to investigate the issue, it is important to clarify that this hack only pertains to the smartphone app and has limited actual impact on the vehicle itself. This app can only control the vehicle alarm, the HVAC system, the lights, and the battery charging schedule. While this app also monitors the status of the vehicle's doors and hood (open/closed), it cannot lock or unlock them.


To be clear, the subject hacking has no effect on the ability of the consumer to safely start and drive the vehicle. Further, the vehicle's immobilizer is unaffected. Accordingly, while the vehicle alarm could be turned off, the vehicle would remain locked and the car could not be started without the smart key remote control device.


While Mitsubishi Motors investigates this issue, it is recommending that any customer who is concerned about this issue should deactivate the vehicle’s WiFi using the ‘Cancel VIN Registration’ option found in the app, or by using the remote app cancellation procedure found in the vehicle’s Multi Communication System.

Mitsubishi did not make clear whether this issue will delay the U.S. launch of the 2017 Outlander Hybrid. For now, the SUV is expected to arrive at dealers in the fall.