Popular Ford and VW cars found to have ‘serious security flaws’ with their connected systems putting personal data and safety at risk
- Ford Focus and VW Polo connected technology breached during investigation. - Which? remotely accessed safety features, such as traction control and tyre pressure warning by infiltrating the systems of both cars. - Hackers were also able to find personal data of owners stored in the systems. - The consumer group called for stricter regulations for connected car security.
The latest cars from best-selling brands Ford and Volkswagen are worryingly susceptible to being hacked, according to a report from a consumer group.
Examples of the current Ford Focus family hatchback and Volkswagen Polo supermini, with connected technology built in were found to have 'serious security flaws' that could be breached.
This could allow criminals to take control while they're being driven and access to owners personal data.
Without meaningful regulations for connected car technology, manufacturers have been allowed to be careless with security, ultimately putting the safety of their customers and their personal information in danger, the investigation found.
The two cars scrutinised were the Ford Focus Titanium Automatic 1.0L petrol and a Volkswagen Polo SEL TSI Manual 1.0L petrol - the latest models of two of the most popular cars in Europe.
Both were fitted with the brands' latest connected technology features, supported by computer systems that control them in the background.
Consumer group Which? teamed up with cyber-security experts to test the security of these systems and how easily they could be hacked if targeted by skilled.
How the Volkswagen performed
Context Information Security, the testing partner brought in for the investigation, was able to hack the Infotainment unit in the Volkswagen Polo, part of the car's 'central nervous system'.
The vulnerability was found in a section of the car that can enable or disable traction control - a feature that's designed to improve grip in slippery conditions that's because a requirement in all new cars on safety grounds.
If a hacker is able to turn this feature off remotely, drivers would be at an increased level of danger, especially when it's wet or there is snow or ice on the road.
The infotainment unit also holds a wealth of personal data, such as people's phone contacts or location history.
The researchers were also concerned that simply lifting the VW badge on the front of the car gave access to the front radar module, which could potentially allow a hacker to tamper with the collision-warning system.
Which? also bought an additional VW infotainment unit from eBay that was identical to the one in the Polo.
It found a large storage of information on the previous owner, including their phone contacts, their home location – and even their home wi-fi details and password.
The Ford Focus also proved easy to infiltrate
Turning attention to Ford's volume-selling Focus, traditionally one of the best-selling family cars in the UK for 20 years, the expert hackers were able to intercept the tyre pressure monitoring system using basic equipment.
This would allow a cyber attacker to trick the system to display that flat tyres were fully-inflated and vice versa - again posing a safety risk for the user.
When Which?'s experts examined the Ford's code, they were stunned to find it also included wi-fi details and a password that appeared to be for the computer systems on Ford's production line.
A scan to locate where the network was based confirmed it was at the Ford assembly plant in Detroit, Michigan.
The latest cars are holding more data than you think
The investigation also raised concerns about how much data cars are generating about their owners and how this information is being stored, shared and used.
The Ford Pass app means the vehicle's location and travel direction are permitted to be shared at any time, as well as data from the car's sensors, including warning lights, fluid levels and fuel consumption.
The VW app, We Connect, requested a wide range of permissions, including access to 'confidential information' in people's calendar and the contents of USB storage.
While the Focus and Polo were chosen as two of the best-sellers on the market, Which? said the findings have raised serious concerns for the entire industry.
Ford declined to receive Which?'s technical report.
Which? said it believed that such actions showed 'a worrying disregard for possible issues relating to its customers' security and safety'.
However, Volkswagen engaged positively with Which? after it share the findings of the investigation with the German car maker.
Lisa Barber, editor of Which? Magazine, said it is concerned that the risk to both human life and financial information and that 'stringent regulations and standards' were needed for the computer systems powering connected technology.
'Most cars now contain powerful computer systems, yet a glaring lack of regulation of these systems means they could be left wide open to attack by hackers - putting drivers' safety and personal data at risk,' she said.
'The government should be working to ensure that appropriate security is built into the design of cars and put an end to a deeply flawed system of manufacturers marking their own homework on tech security.'
Various bodies, including the UN, are working on a regulation which is planned for 2021 but is only voluntary.
The 9 precautions you should take to safeguard your data in cars
1. Add a password for your Wi-Fi - and one that hasn't been hacked before
If your car has its own WiFi connection, create your own password as soon as possible; previous hacks, including the case of the Jeep Cherokee, was made possible by the weak default WiFi password supplied by the manufacturer.
There was also a more recent case of a criminal - named L&M - who was able to monitor the locations and switch off the engines of thousands of vehicles in South Africa, Morocco, India and the Philippines.
These vehicles were all fitted with tracking devices that had a pre-set password of '123456', which many users had failed to change.
Using reused or easy to guess passwords makes a cyber criminal’s job far easier. But there are ways to find out if a password is more or less likely to be guessed by criminals.
For example, pwndpasswords has a database of over 500 million passwords that have been previously exposed in data breaches. It’s safe to say that these passwords are being reused by attackers.
It's good practice to create unique passwords which have a mix of random numbers and letters, include capitals and symbols, and don’t relate to you personally.
There are also random password generators online if you’re struggling for inspiration.
Pwned is one of the website that allows you to check if a password you use has been breached previously.
2. Use a garage and mechanic you trust
Always use a trusted and qualified mechanic for your MOT, service and repairs.
As part of routine checks, mechanics will plug a device into the On-Board Diagnostic (ODB) port to check for any fault or diagnostic codes which need to be resolved.
However, this access could be used for malicious reasons, such as programming your electronic brake sensor to trigger early, lowering the life of your brake pads and meaning more trips (and bills) at the garage.
If you’re unsure, look-up a garage in your area which is part of the Good Garage Scheme – a signal they perform services to a strict Code of Conduct.
3. Utilise the vehicle maker's security software updates as quickly as possible
Watch out for software updates – also known as 'patches' – from your vehicle’s manufacturer, which could include enhanced security features to protect you from newly identified threats.
Make sure you’re subscribed to manufacturer alerts and act quickly if you get notified of an update – all you normally need to do is enter your Vehicle Identification Number (VIN), a 17-digit number stamped into the car’s chassis.
4. Recognise that phone apps could be a threat
Keeping your phone applications - especially those linked to your motor, like Apple CarPlay and Android Auto - up to date is also key.
Any app that control functions in your car should have the most up-to-date security release.
A recent study in June found that 76 per cent of mobile applications have security flaws, so choose the ones you download wisely.
If you're really concerned, consider opting out from these apps completely.
5. Disconnect your car from your home hub
Having your car connected to your smart home hub can have its perks. For instance, driving home on a winter's evening and being able to turn the heating on in your property from the driver's seat so it's nice and toasty when you walk through the front door.
However, experts have warned that some devices linked to home hubs - especially small devices in the house - have basic security systems that hackers can infiltrate and use to access other products, like your car, that are connected to the same hub device.
In an interview with This is Money, cyber-hack guru Tony Dyhouse, director of Trustworthy Software Initiative, warned: 'If there is a path from the car to a smart hub linked to a variety of devices, there is also a path in the opposite direction.
'That means there’s opportunity to hack any device within the entire network by using the signal as a portal.
'The more devices you add results in an exponential increase in risk. Ultimately, someone online could unlock your car doors and start the engine by hacking into your smart kettle.'
6. Wipe your data before you sell the car
If you are selling your connected car and don’t want to leave your data exposed, go to your car’s infotainment unit and look in the Settings menu for controls to erase your account and data.
It’s a bit like restoring a phone to factory settings. Check your manual if you can’t find it easily on the unit itself.
When you drive it to the dealer, don’t reconnect your smartphone to the car, as otherwise you’ll leave trace information that hasn’t been deleted.
7. Revoke access from your phone so data can't be accessed
Deleting the car’s app from your phone won’t be enough to remove your access. You need to break the link between you and the vehicle.
Again, you’ll need physical access to the infotainment system in order to trigger the master reset key.
Follow the instructions on the unit or check the manual to ensure your access is completely revoked before you sell it to the new owner.
8. If you're buying a second-hand car, make sure it can't be tracked by the previous keeper
Just as you think about mileage, service history and state of repair when buying a used car, you should also think about data.
When buying a car second-hand from a dealer or private seller, ask for evidence that all data has been removed and access rights revoked.
Then you won’t have to worry that the previous owner can still track, unlock or even drive away with your new car.
9. Beware: Rental and Car Club vehicles could also be storing your information if you connect your phone
Chances are that you have plugged in your phone in a rental and seen data on people who’ve used it. So be wary of connecting your phone to a rental or a vehicle from a car club.
It’s better to just use the infotainment unit, or solely rely on your smartphone.