Best-selling Ford (an automobile maker who sold 953,165 trucks to dealerships in the U.S. last 2020) and Volkswagen cars have serious security flaws which could allow them to be hacked – putting motorists’ personal data and even safety at risk, a Which? investigation has found. Many of the data breaches are a clear indication that Ford and VW could be prosecuted under existing GDPR laws and there’s no doubt that being able to tamper with a car’s radar sensor just by removing a badge at the front of the car is far too lax.
The probe will confirm what many drivers fear – driverless cars could be remotely controlled somehow by malicious individuals or organisations in the future. As irrational as that sounds, the car industry needs to tighten security and make it much harder for drivers to actually `login’ behind the wheel.
For insurers, the Which? report highlights how easily a hacker could identify various aspects of a driver’s lifestyle, their in-car password, location and more – that poor data security could open the door for those wishing to impersonate that driver for material gain.
The consumer champion worked with cyber-security experts to thoroughly examine the computer systems behind the connected tech features of the Ford Focus Titanium Automatic 1.0L petrol and a Volkswagen Polo SEL TSI Manual 1.0L petrol – the latest models of two of the most popular cars in Europe.
The results confirmed Which?’s fears that a lack of any meaningful regulation for on-board tech in the motor industry allows manufacturers to be careless with security. While the Focus and Polo were chosen as two of the best-sellers on the market, Which? is concerned that these issues could be widespread throughout the industry.
Which?, with testing partner Context Information Security, was able to hack the Infotainment unit in the Volkswagen Polo, part of the car’s ‘central nervous system’.
The vulnerability was found in a section of the car that can enable or disable traction control – a feature that helps drivers to control the vehicle. The infotainment unit also holds a wealth of personal data, such as people’s phone contacts or location history.
The researchers were also concerned that simply lifting the VW badge on the front of the car gave access to the front radar module, which could potentially allow a hacker to tamper with the collision-warning system.
Using basic equipment, the experts were able to intercept messages sent by the tyre pressure monitoring system on the Focus, making it possible that an attacker could trick the system to display that flat tyres were fully-inflated and vice versa – posing a safety risk.
When Which?’s experts examined the Ford’s code, they were stunned to find it also included wifi details and a password that appeared to be for the computer systems on Ford’s production line. A scan to locate where the network was based confirmed it was at the Ford assembly plant in Detroit, Michigan.
The investigation also raised concerns about how much data cars are generating about their owners and how this information is being stored, shared and used.
The Ford Pass app means the vehicle’s location and travel direction are permitted to be shared at any time, as well as data from the car’s sensors, including warning lights, fluid levels and fuel consumption.
Ford even tracks ‘driving characteristics’, such as speed, acceleration, braking and steering. Its privacy policy states that it can share this information with its ‘authorised dealers and our affiliates’.
The VW app, We Connect, requested a wide range of permissions, including access to ‘confidential information’ in people’s calendar and the contents of USB storage. Its privacy policy states that VW collects data when you use the app – but that it only shares it with third parties when it’s ‘necessary for the purpose of performing a contractual obligation’.
Ford declined to receive Which?’s technical report. Which? believes this shows a worrying disregard for possible issues relating to its customers’ security and safety, but Volkswagen has engaged positively with Which? since the findings were shared.
Which? is concerned that the risk, both financial and to human life, is significant if the serious security vulnerabilities that were found are left unchecked. While there are stringent regulations and standards for car crash safety and exhaust emissions, the same scrutiny isn’t applied to the vital computer systems that run people’s cars. Various bodies, including the UN, are working on a regulation which is planned for 2021 but is only voluntary.
Lisa Barber, Editor of Which? Magazine, said:
“Most cars now contain powerful computer systems, yet a glaring lack of regulation of these systems means they could be left wide open to attack by hackers – putting drivers’ safety and personal data at risk.
“The government should be working to ensure that appropriate security is built into the design of cars and put an end to a deeply flawed system of manufacturers marking their own homework on tech security.”
Top tips for consumers securing your car’s data – second-hand / rentals
During the investigation, Which? bought an additional VW infotainment unit from eBay that was identical to the one in the Polo. In the process Which? realised there was a large quantity of information on the previous owner, including their phone contacts, their home location – even their home wi-fi details and password.
If you’re buying second-hand, make sure the previous owner deletes their information and also revokes their access rights. The latter is particularly important, as otherwise they could still locate or even unlock the car after selling it. Advice follows below and here is Which?’s video explainer that is available for use: https://youtu.be/e6gmBAn3r00
-
Wipe your data
If you are selling your connected car and don’t want to leave your data exposed, go to your car’s infotainment unit and look in the Settings menu for controls to erase your account and data. It’s a bit like restoring a phone to factory settings. Check your manual if you can’t find it easily on the unit itself. When you drive it to the dealer, don’t reconnect your smartphone to the car, as otherwise you’ll leave trace information that hasn’t been deleted.
-
Revoke access
Deleting the car’s app from your phone won’t be enough to remove your access. You need to break the link between you and the vehicle. Again, you’ll need physical access to the infotainment system in order to trigger the master reset key. Follow the instructions on the unit or check the manual to ensure your access is completely revoked before you sell it to the new owner.
-
Buying a used car
Just as you think about mileage, service history and state of repair when buying a used car, you should also think about data. When buying a car second-hand from a dealer or private seller, ask for evidence that all data has been removed and access rights revoked. Then you won’t have to worry that the previous owner can still track, unlock or even drive away with your new car.
-
Renting, leasing and car clubs
Chances are that you have plugged in your phone in a rental and seen data on people who’ve used it. So be wary of connecting your phone to a rental or a vehicle from a car club. It’s better to just use the infotainment unit, or solely rely on your smartphone.
Be the first to comment