Your Mitsubishi May be Vulnerable to Hackers

(CBS NEWS) Mitsubishi owners, beware: One popular model has a "shocking" flaw that can allow hackers to disable its alarms and allow thieves to steal the vehicles.

The problem affects Mitsubishi's Outlander hybrid SUV, a popular model. The flaw was discovered by security firm Pen Test Partners, which bought one of the vehicles to test its wifi system. A security consultant for Pen Test, Ken Munro, had noticed a friend's Mitsubishi popped up on his smartphone as a local wifi access point. Munro told the BBC his friend showed him how he used an app for some of the car's controls, which piqued his interest about car and the security of its wifi service.

The hole in the Mitsubishi SUV's security is in how it connects to an owner's mobile phone. Most apps, which can be used for tasks such as unlocking a car remotely or locating a it, links to a vehicle using a separate web service. In Mitsubishi's case, the car's onboard wifi connects directly to the app, which makes it more vulnerable to hackers.

The system also has other security shortcomings, such as an easy-to-crack wifi key, according to Pen Test, which was able to gain control of the car's lights, alarm system, and air conditioning and heating.

The security flaw is the latest to be discovered affecting the so-called internet of things, in which products like home appliances and toys, as well as cars, are hooked up to the global network. Many of these devices have been found to include vulnerabilities that could allow hackers to disable home security systems, for instance, or in the case of Mitsubishi's hybrid Outlander, the car alarm.

"If professional researchers are finding this, then equally hackers will also find these weaknesses," said Mark Skilton, a professor at Warwick Business School and cyber ecurity researcher, said in an emailed statement. "Cars are increasingly having on-board connectivity to the Internet beyond just entertainment and to the operation of the car itself. But, while access to email and websites is one thing, access to mission-critical systems in any situation -- be it a building, operating theater or transport vehicle -- is a whole different set of risk and security issues."

Outlander Hybrid owners should unpair any mobile device that has been connected to their car, the Pen Test researchers advised. That requires connecting your mobile phone to the car's access point. Then go to "settings" and select "cancel VIN registration." The wifi module will go to sleep once all the paired devices are unlinked.

In a statement emailed to CBS MoneyWatch, Mitsubishi echoed Pen Test's recommendation to disable the car's wifi. It said that it is investigating the issue.

"This is the first reported incident of hacking involving any Mitsubishi vehicle to date," the statement said. "To be clear, the subject hacking has no effect on the ability of the consumer to safely start and drive the vehicle."

The automaker added, "This hack only pertains to the smartphone app and has limited actual impact on the vehicle itself. This app can only control the vehicle alarm, the HVAC system the lights, and the battery charging schedule. While this app also monitors the status of the vehicle's doors and hood (open/closed), it cannot lock or unlock them."

Pen Test said it went public after receiving lackluster interest from the automaker.

"Initial attempts by us to disclose privately to Mitsubishi were greeted with disinterest," Pen Test said in a blog post explaining its findings. "We were a bit stumped at this point: As so often happens, the vendor takes no interest and public disclosure becomes an ethical dilemma."

Pen Test said it's not disclosing information that can disable the car alarm, but it plans to do so in about a week to give owners a chance to disable the car's wifi access point.

Share this article: