Mitsubishi Motors Corp. said Monday that its Outlander PHEV model has a security loophole that allows hackers to remotely control some of the vehicle’s functions via smartphones.
The Outlander PHEV, a popular plug-in-hybrid SUV model, offers an optional service that lets drivers connect to the vehicle’s Wi-Fi signal using an app on their smartphones to control air conditioning, headlights and the car’s alarm, as well as set a timer to charge the vehicle’s electricity.
Yet British security firm Pen Test Partners discovered the loophole last week, reporting and uploading a video of how it cracked the vehicle’s Wi-Fi key and disabled the car’s theft alarm.
The Tokyo-based automaker admitted that hackers can crack the system and issued a statement Monday, recommending that users stop using the remote control system if they are concerned.
Mitsubishi spokesman Manabu Yamanishi said that because the remote control cannot be used when driving, safety concerns on the road would not be an issue.
Also, he said when the doors are locked, the alarm cannot be disabled.
The company said no actual cases of such hacks have been reported, but it is alerting vehicle owners about the loophole as it is possible that hackers can disable the theft alarm — if the doors are unlocked — potentially aiding in car thefts.
Mitsubishi sold about 100,000 units of the Outlander PHEV worldwide as of March.
Yamanishi said Mitsubishi does not know how many owners of the 100,000 cars purchased the optional remote control service.
Yamanishi said the automaker was working to improve security but offered no details.
Pen Test Partners suggests that users disconnect the Wi-Fi with their cars as a short-term solution while Mitsubishi works on a security upgrade.