Security flaws in Ford and VW connected cars could pose risk to drivers – Which?
9 April 2020, 00:04
The consumer group said there is a lack of meaningful regulation for on-board technology in the motor industry.
A pair of connected cars made by Ford and Volkswagen contain serious security flaws which could allow them to be hacked, according to Which? research.
The consumer group says it uncovered vulnerabilities in the computer system of the Ford Focus Titanium Automatic 1.0L petrol and the Volkswagen Polo SEL TSI Manual 1.0L petrol models.
It warns the issues could put the driver’s security, privacy and safety at risk, and claims a lack of meaningful regulation for on-board technology in the motor industry has allowed manufacturers to be careless with security.
Having only tested two cars, Which? fears similar flaws may be widespread throughout the industry.
Working with Context Information Security, experts were able to hack the infotainment unit, part of the car’s “central nervous system”, inside a Volkswagen Polo.
They claim there is a vulnerability in a section of the car that can enable or disable traction control, which is used to help drivers control their vehicle.
Tests also found the collision warning system was open to tampering, as the VW badge on the front of the car could be lifted to access the front radar module.
On the Focus, researchers could use basic equipment to intercept messages sent by the tyre pressure monitoring system, opening it up to a safety hazard if a hacker decided to trick the system to display that flat tyres were fully-inflated, or and vice versa.
Within the code used on the Ford vehicle, Which? was able to find WiFi details and a password that appeared to be for the computer systems on Ford’s production line.
The investigation also raised concerns about the amount of data obtained from vehicle apps that drivers can use to monitor things like their car’s location or driving characteristics.
Lisa Barber, editor of Which? magazine, said: “Most cars now contain powerful computer systems, yet a glaring lack of regulation of these systems means they could be left wide open to attack by hackers – putting drivers’ safety and personal data at risk.
“The Government should be working to ensure that appropriate security is built into the design of cars and put an end to a deeply flawed system of manufacturers marking their own homework on tech security.”
Ford – who refused to see the full reports – responded saying it takes “cybersecurity seriously by consistently working to mitigate the risk”.
It added: “Customer data is used for valued connected services, such as live traffic, in accordance with published policy.
“In Europe, connected vehicle data, for example location and driver behaviour data, may only be shared with authorised dealers where we have communicated this clearly to our customers and have an appropriate legal basis in place, such as customer consent.
“Where we rely on customer consent, the customer has the right to withdraw that consent at any time.”
Volkswagen said its infotainment system is in a “separate domain of the vehicle and it is not possible to influence other critical control units unnoticed”, but it agreed to analyse the findings with its supplier.
The company added that it does not believe any of the findings pose “any direct risk for the driver or passengers”, with many of the examples requiring access to the car and “very high effort”.
A spokeswoman for the Department for Transport said: “Connected vehicles present major opportunities for road safety, traffic management and a range of innovative industries across the UK.
“Safety is paramount and that’s why we are investing more than £250 million in safe testing and cyber resilience.”