Our snapshot investigation has uncovered high-impact security flaws with two of the UK’s bestselling cars – the Ford Focus and VW Polo.
Both were chosen as they are among the most popular cars across Europe. We sent them to security experts Context Information Security to see whether they could be hacked.
We found a security flaw in the new VW Polo’s infotainment unit system. This system controls the traction control and contains the driver’s personal data
Our tests uncovered Ford’s own wi-fi password in the code of the latest Focus
Ford refused our technical report, which detailed the flaws we found
We also bought a second-hand infotainment unit and discovered the previous owner’s personal details
There are stringent regulations and standards for car crash safety and exhaust emissions, but the same scrutiny isn’t applied to the vital computer systems that run our cars. No regulations or mandatory standard exists for even basic cybersecurity in cars.
Various bodies, including the UN, are working on a voluntary regulation, but this won’t come into force until 2021 at the very earliest. Instead, manufacturers have been relied on to get security right. As our investigation proves, this isn’t happening to the standard you might expect.
Keep reading to find out more about what our investigation uncovered.
Use our free tool to find the genuinely low emission cars available in the UK, as uncovered by our tough emission tests.
Mirror, signal… hacked
We bought two brand-new cars: a Ford Focus Titanium Automatic 1.0L petrol and a Volkswagen Polo SEL TSI Manual 1.0L petrol. Both were chosen as they are among the most popular cars across Europe. We sent them to security experts Context Information Security.
Although more secure than other connected products we’ve examined, such as dodgy wireless cameras, our snapshot test found high impact security flaws with the two cars.
We won’t be releasing any technical details about the hacks, as we don’t want criminals to have this information.
As part of a process called ‘vulnerability disclosure’, we offered to share our full reports with both manufacturers so they could address the issues we uncovered.
- Volkswagen engaged positively with us throughout the process, and continues to do so
- Ford refused our offer.
Every car we review goes through hundreds of our lab and road tests. Only the very best make our shortlist of the top cars for 2020.
Hacking the car’s ‘nervous system’
Modern cars are controlled by internal nerve systems called Controller Area Networks (CAN). Each CAN carries different signals around the vehicle to control aspects such as steering, braking and entertainment. They should be effectively safeguarded against attack, but it was possible to access a CAN on the Polo.
We found a unique vulnerability in how software updates are delivered to the infotainment unit and we were able to use this to hack it. Our working proof of concept enabled us to tamper with the unit, something that shouldn’t be possible with effective security safeguards.
While we weren’t able to compromise the Polo’s powertrain (which handles all electronic driving controls, such as braking and steering), the infotainment unit can enable or disable the car’s traction control (which helps you to control the car), so could adversely affect your driving if it was done without warning.
It controls other settings, including auto headlights. It also holds a wealth of personal data, such as your phone contacts or location history.
Someone would need temporary access to the car to do the hack, but it would only take five minutes. A criminal could even break into your car without needing to smash a window using a vulnerability with the Polo’s car key fob. They could then conduct the hack and get away without leaving a trace.
VW told us that the infotainment system is in a ‘separate domain of the vehicle and it is not possible to influence other critical control units unnoticed’. However, it has agreed to analyse our findings with its infotainment system supplier.
Accessing critical car sensors
Your car is packed with sensors that track various aspects, such as fuel level and tyre pressure. These are controlled by in-car systems that could theoretically be compromised.
The tyres on the Ford Focus, like many other modern car tyres, are fitted with a tyre-pressure monitoring system (TPMS). Using basic equipment, we were able to intercept the messages being sent from the tyres to the car’s brain.
Although we couldn’t get a working proof of concept, we believe an attacker could use this to pretend that flat tyres were fully inflated, and vice versa, potentially posing a risk to your safety.
Ford said the TPMS has a very short transmission range ‘unless easily visible auxiliary antennas are constructed’. It also said the technology isn’t unique to Ford and there is no ‘known industry issue with it’.
We were able to access a CAN on the Polo simply by lifting up the VW badge on the front, just as Beastie Boys fans discovered back in the 1980s. You can then get to the front radar module, which handles the collision-warning system.
Again, we were unable to create a proof of concept in our testing, but we were concerned that such access could enable someone to tamper with the radar module.
Volkswagen told us there were unnamed ‘safety mechanisms’ that could continuously monitor the correct functioning of the radar to ensure its functional safety.
We know Ford’s wi-fi details
While analysing the Ford Focus, we found a set of wi-fi credentials that appeared to be for the computer systems on Ford’s production line.
A scan to locate where the wi-fi network was based led us to the Ford assembly plant in Detroit, Michigan. Yes, Ford had revealed its wi-fi details, including its password.
Ford said that as we hadn’t actually connected to the wi-fi network (and we didn’t as we lacked permission to do so) it would not comment on a ‘hypothetical outcome’. It refused to discuss the matter further.
We survey thousands of car owners so we can reveal the most reliable cars.
On the Polo, a large amount of information about the infotainment unit was available to access, both in the car and online. In our view, this data does not need to be accessed by just anyone, and it helped us develop our attacks.
VW said it didn’t feel it was necessary to encrypt infotainment data and firmware on its website, but would consider reducing the more extensive information available via the car in ‘future systems’.
VW had also used third-party software libraries in the infotainment unit that were out of date (by up to eight years) and had known security flaws. We told VW these should be replaced by modern or secure alternatives, but it claimed it already checks for vulnerabilities.
Driving away with your privacy: cars and data
A car can capture vast amounts of data, but most people never think about what actually happens with that information.
For example, using the Ford Pass app means you agree to share a wide variety of data, including your vehicle’s location and travel direction, at any time. Ford will even track your ‘driving characteristics’, such as your speed, acceleration, braking and steering.
Ford said: ‘Customer data is used for valued connected services, such as live traffic, in accordance with published policy.’
Also concerning is how much personal data can be collected and stored in our cars.
During our investigation, we bought an additional VW infotainment unit from eBay that was identical to the one in the Polo. We did this to get the firmware for analysis, but in the process we realised there was a large quantity of information on the previous owner, including their phone contacts and their home location – even their home wi-fi details and password.
We deleted this information immediately, but the previous owner had clearly not thought about doing the same.
Video: how to delete your car data
Shouldn’t connected cars be secure by law?
While there are stringent regulations and standards for car crash safety and exhaust emissions, the same scrutiny isn’t applied to the vital computer systems that run our cars.
If you buy a car you’re given its crash safety rating by Euro NCAP, but you currently have no way of knowing if a car meets even a basic cybersecurity standard.
Various bodies, including the UN, are working on new connected car regulations, but this won’t come into force until 2021 at the earliest. And even then it won’t be mandatory.
Instead, manufacturers have been relied on to get security right. While Ford and Volkswagen have clearly made investments in car security, we were able to expose vulnerabilities in both cars. In such an expensive and high-risk product, this isn’t good enough.
VW told us none of our findings pose ‘any direct risk for the driver or passengers’. It also said that many of our scenarios require access to the vehicle and ‘very high effort’. Adding that it does security-test its cars and ‘findings are managed appropriately on a risk-based approach’.
Ford said it takes ‘cybersecurity seriously by consistently working to mitigate the risk’. It declined the offer of our technical report.
It wouldn’t reveal the testing its systems go through, but said it meets voluntary standards, such as those set by security organisation Thatchams and the emerging United Nations framework.
The Department for Transport, which set up the Centre for Connected and Autonomous Vehicles (CCAV) in 2015, told us: ‘Connected vehicles present major opportunities for road safety, traffic management and a range of innovative industries across the UK. Safety is paramount and that’s why we are investing more than £250m in safe testing and cyber resilience.’
The DVSA, the government organisation responsible for car safety, declined to provide a comment for publication.
How a connected car works
- CAN: Every connected car has a Controller Area Network (CAN) – a series of cables that are threaded throughout the vehicle. Each CAN acts like the body’s nervous system, ferrying messages to different systems.
- POWERTRAIN: Modern vehicles have multiple CAN – the Ford Focus has seven. But the most critical CAN is always the powertrain. The powertrain handles electronic driving controls, such as braking, steering, clutch and acceleration.
- CENTRAL GATEWAY: The CAN systems are all linked together by the central gateway, which is basically the car’s brain. The gateway module is responsible for forwarding specific messages from one network to another.
- INFOTAINMENT SYSTEM: The infotainment system is the central screen next to the driver, and it’s often the car’s soft underbelly. If compromised, it could enable hackers to target the more critical systems found within the car.
- MOBILE APPS: We increasingly use mobile apps on smartphones to control our cars. From unlocking doors to monitoring sensors and even turning on the heater from the comfort of your own home, an app lets you control your car from afar.
Don’t even think about buying a car until you’ve checked what our tests reveal in our new and used car reviews.