Serious cyber-security flaws uncovered in Ford and Volkswagen cars
Image credit: ford
Connected vehicles produced by both Ford and Volkswagen have serious security flaws which could allow them to be hacked, according to a Which? investigation.
The consumer group said that connected tech features of the Ford Focus Titanium Automatic 1.0L petrol and a Volkswagen Polo SEL TSI Manual 1.0L petrol – the latest models of two of the most popular cars in Europe - were vulnerable.
Which? warned that the cars could put motorists’ personal data and even safety at risk. It said the lack of “any meaningful regulation” for on-board tech in the motor industry allows manufacturers to be “careless with security”.
It added that while its investigation focused on the Focus and Polo, it is concerned that these issues could be widespread throughout the industry.
The investigation showed that the 'infotainment' unit in the Volkswagen Polo, part of the car’s ‘central nervous system’, was vulnerable to cyber-attack.
The vulnerability was found in a section of the car that can enable or disable traction control – a feature that helps drivers to keep control the vehicle in treacherous conditions.
The infotainment unit could potentially also hold a wealth of personal data, such as phone contacts or location history, if the user has synced their smartphone with the unit.
The researchers were also concerned that simply lifting the VW badge on the front of the car gave access to the front radar module, which could potentially allow a hacker to tamper with the collision-warning system.
Using basic equipment, the experts were able to intercept messages sent by the tyre pressure monitoring system on the Ford Focus, making it possible that an attacker could trick the system to display that flat tyres were fully inflated and vice versa, thus posing a safety risk.
The experts at Which? said that on examining Ford’s code, they found that it included Wi-Fi details and a password that appeared to be for the computer systems on Ford’s production line.
A scan to locate where the network was based confirmed it was at the Ford assembly plant in Detroit, Michigan, US.
The investigation also raised concerns about how much data cars are generating about their owners and how this information is being stored, shared and used.
Lisa Barber, editor of Which? magazine, said: “Most cars now contain powerful computer systems, yet a glaring lack of regulation of these systems means they could be left wide open to attack by hackers, putting drivers’ safety and personal data at risk.
“The Government should be working to ensure that appropriate security is built into the design of cars and put an end to a deeply flawed system of manufacturers marking their own homework on tech security.”
Ford – who refused to see the full reports – responded to the Which? investigation by saying that it takes “cyber security seriously by consistently working to mitigate the risk”.
It added: “Customer data is used for valued connected services, such as live traffic, in accordance with published policy.
“In Europe, connected vehicle data, for example location and driver behaviour data, may only be shared with authorised dealers where we have communicated this clearly to our customers and have an appropriate legal basis in place, such as customer consent.
“Where we rely on customer consent, the customer has the right to withdraw that consent at any time.”
Volkswagen said its infotainment system is in a “separate domain of the vehicle and it is not possible to influence other critical control units unnoticed”, but it agreed to analyse the findings with its supplier.
The company added that it does not believe any of the findings pose “any direct risk for the driver or passengers”, with many of the examples requiring access to the car and “very high effort”.
A spokeswoman for the Department for Transport said: “Connected vehicles present major opportunities for road safety, traffic management and a range of innovative industries across the UK.
“Safety is paramount and that’s why we are investing more than £250m in safe testing and cyber resilience.”
Last month, computer scientists found that cars from manufacturers including Toyota, Kia, and Hyundai have security vulnerabilities in their anti-theft systems.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.