Security flaws in Ford and VW in-car computers ‘could pose risk to drivers’
A PAIR of connected cars made by Ford and Volkswagen contain serious security flaws that could allow them to be hacked, according to Which? research.
The consumer group says it uncovered vulnerabilities in the computer system of the Ford Focus Titanium Automatic 1.0L petrol and the Volkswagen Polo SEL TSI Manual 1.0L petrol models.
It warns the issues could put the driver’s security, privacy and safety at risk, and claims a lack of meaningful regulation for on-board technology in the motor industry has allowed manufacturers to be careless with security.
Having only tested two cars, Which? fears similar flaws may be widespread throughout the industry.
Working with Context Information Security, experts were able to hack the infotainment unit, part of the car’s “central nervous system”, inside a Volkswagen Polo.
They claim there is a vulnerability in a section of the car that can enable or disable traction control, which is used to help drivers control their vehicle.
Tests also found the collision warning system was open to tampering because the VW badge on the front of the car could be lifted to access the front radar module.
On the Focus, researchers could use basic equipment to intercept messages sent by the tyre pressure monitoring system, opening it up to a safety hazard if a hacker decided to trick the system to display that flat tyres were fully-inflated.
Within the code used on the Ford vehicle, Which? was able to find wi-fi details and a password that appeared to be for the computer systems on Ford’s production line.
The investigation also raised concerns about the amount of data obtained from vehicle apps that drivers can use to monitor things such as their car’s location or driving characteristics.
Lisa Barber, editor of Which? magazine, said: “Most cars now contain powerful computer systems, yet a glaring lack of regulation of these systems means they could be left wide open to attack by hackers – putting drivers’ safety and personal data at risk.
“The Government should be working to ensure appropriate security is built into the design of cars and put an end to a deeply flawed system of manufacturers marking their own homework on tech security.”
Ford, which refused to see the full reports, responded saying it takes “cybersecurity seriously by consistently working to mitigate the risk”.
It added: “Customer data is used for valued connected services, such as live traffic, in accordance with published policy.
“In Europe, connected vehicle data, for example location and driver behaviour data, may only be shared with authorised dealers.”
Volkswagen said its infotainment system is in a “separate domain of the vehicle and it is not possible to influence other critical control units unnoticed”, but it agreed to analyse the findings with its supplier.