‘Serious’ security flaws expose popular Ford and VW cars to hackers
It warns that the flaws leave cars exposed to attacks from malicious hackers who could steal data or send misleading information to a vehicle’s management system. And it has accused car makers of being “careless” with security, with no meaningful regulation for on-board technology.
Working with a team of cyber security experts from Context Information Security, Which? examined the computer systems behind the connected technology systems of the cars. They found that they could hack into the Polo’s infotainment unit via a command that disables the traction control system. From there they could access personal data including phone contacts and location history.
They also found that by simply lifting the VW badge on the front of the car, they could access the radar module, which would potentially allow a hacker to tamper with the car’s collision detection safety system.
On the Ford, Which?’s friendly hackers found that using a laptop and a £25 gadget from Amazon they could intercept the tyre pressure monitoring system, potentially allowing them to trick the car’s display to show that tyres were flat when they weren’t or vice versa, a move that could put a driver’s safety at risk.
By hacking into the Focus’s controller area network - the car’s central “brain” - they were also able to find wifi details and a password that appeared to be for the computer system at Ford’s Detroit factory, despite the Focus being built in Europe. They could also access detailed information about the user’s driving habits and location history.
Lisa Barber, Editor of Which? Magazine, said: “Most cars now contain powerful computer systems, yet a glaring lack of regulation of these systems means they could be left wide open to attack by hackers – putting drivers’ safety and personal data at risk.
“The government should be working to ensure that appropriate security is built into the design of cars and put an end to a deeply flawed system of manufacturers marking their own homework on tech security.”
Ford said that the tyre monitoring technology was not unique to Ford and the hack only worked using “easily visible auxiliary antennas”. It added that the personal data was stored with owners’ consent and refused to comment further.
Volkswagen told Which? that the hacked infotainment system was in a “separate domain of the vehicle and it is not possible to influence other critical control units unnoticed”.
It added that none of the findings posed “any direct risk for the driver or passengers”. And said that many of Which?’s scenarios required access to the vehicle and “very high effort”.