Our snapshot investigation has uncovered high-impact security flaws with two of the UK's bestselling cars - the Ford Focus and VW Polo.
Both were chosen as they are among the most popular cars across Europe. We sent them to security experts Context Information Security to see whether they could be hacked.
There are stringent regulations and standards for car crash safety and exhaust emissions, but the same scrutiny isn't applied to the vital computer systems that run our cars. No regulations or mandatory standard exists for even basic cybersecurity in cars.
Various bodies, including the UN, are working on a voluntary regulation, but this won't come into force until 2021 at the very earliest. Instead, manufacturers have been relied on to get security right. As our investigation proves, this isn't happening to the standard you might expect.
Keep reading to find out more about what our investigation uncovered.
We bought two brand-new cars: a Titanium Automatic 1.0L petrol and a SEL TSI Manual 1.0L petrol. Both were chosen as they are among the most popular cars across Europe. We sent them to security experts Context Information Security.
We won't be releasing any technical details about the hacks, as we don't want criminals to have this information.
As part of a process called 'vulnerability disclosure', we offered to share our full reports with both manufacturers so they could address the issues we uncovered.
Modern cars are controlled by internal nerve systems called Controller Area Networks (CAN). Each CAN carries different signals around the vehicle to control aspects such as steering, braking and entertainment. They should be effectively safeguarded against attack, but it was possible to access a CAN on the Polo.
We found a unique vulnerability in how software updates are delivered to the infotainment unit and we were able to use this to hack it. Our working proof of concept enabled us to tamper with the unit, something that shouldn't be possible with effective security safeguards.
While we weren't able to compromise the Polo's powertrain (which handles all electronic driving controls, such as braking and steering), the infotainment unit can enable or disable the car's traction control (which helps you to control the car), so could adversely affect your driving if it was done without warning.
It controls other settings, including auto headlights. It also holds a wealth of personal data, such as your phone contacts or location history.
Someone would need temporary access to the car to do the hack, but it would only take five minutes. A criminal could even break into your car without needing to smash a window using a vulnerability with the Polo's car key fob. They could then conduct the hack and get away without leaving a trace.
VW told us that the infotainment system is in a 'separate domain of the vehicle and it is not possible to influence other critical control units unnoticed'. However, it has agreed to analyse our findings with its infotainment system supplier.
Your car is packed with sensors that track various aspects, such as fuel level and tyre pressure. These are controlled by in-car systems that could theoretically be compromised.
The tyres on the Ford Focus, like many other modern car tyres, are fitted with a tyre-pressure monitoring system (TPMS). Using basic equipment, we were able to intercept the messages being sent from the tyres to the car's brain.
Although we couldn't get a working proof of concept, we believe an attacker could use this to pretend that flat tyres were fully inflated, and vice versa, potentially posing a risk to your safety.
Ford said the TPMS has a very short transmission range 'unless easily visible auxiliary antennas are constructed'. It also said the technology isn't unique to Ford and there is no 'known industry issue with it'.
We were able to access a CAN on the Polo simply by lifting up the VW badge on the front, just as Beastie Boys fans discovered back in the 1980s. You can then get to the front radar module, which handles the collision-warning system.
Again, we were unable to create a proof of concept in our testing, but we were concerned that such access could enable someone to tamper with the radar module.
Volkswagen told us there were unnamed 'safety mechanisms' that could continuously monitor the correct functioning of the radar to ensure its functional safety.
While analysing the Ford Focus, we found a set of wi-fi credentials that appeared to be for the computer systems on Ford's production line.
A scan to locate where the wi-fi network was based led us to the Ford assembly plant in Detroit, Michigan. Yes, Ford had revealed its wi-fi details, including its password.
Ford said that as we hadn't actually connected to the wi-fi network (and we didn't as we lacked permission to do so) it would not comment on a 'hypothetical outcome'. It refused to discuss the matter further.
On the Polo, a large amount of information about the infotainment unit was available to access, both in the car and online. In our view, this data does not need to be accessed by just anyone, and it helped us develop our attacks.
VW said it didn't feel it was necessary to encrypt infotainment data and firmware on its website, but would consider reducing the more extensive information available via the car in 'future systems'.
VW had also used third-party software libraries in the infotainment unit that were out of date (by up to eight years) and had known security flaws. We told VW these should be replaced by modern or secure alternatives, but it claimed it already checks for vulnerabilities.
A car can capture vast amounts of data, but most people never think about what actually happens with that information.
For example, using the Ford Pass app means you agree to share a wide variety of data, including your vehicle's location and travel direction, at any time. Ford will even track your 'driving characteristics', such as your speed, acceleration, braking and steering.
Ford said: 'Customer data is used for valued connected services, such as live traffic, in accordance with published policy.'
Also concerning is how much personal data can be collected and stored in our cars.
During our investigation, we bought an additional VW infotainment unit from eBay that was identical to the one in the Polo. We did this to get the firmware for analysis, but in the process we realised there was a large quantity of information on the previous owner, including their phone contacts and their home location - even their home wi-fi details and password.
We deleted this information immediately, but the previous owner had clearly not thought about doing the same.
While there are stringent regulations and standards for car crash safety and exhaust emissions, the same scrutiny isn't applied to the vital computer systems that run our cars.
If you buy a car you're given its crash safety rating by Euro NCAP, but you currently have no way of knowing if a car meets even a basic cybersecurity standard.
Various bodies, including the UN, are working on new connected car regulations, but this won't come into force until 2021 at the earliest. And even then it won't be mandatory.
Instead, manufacturers have been relied on to get security right. While Ford and Volkswagen have clearly made investments in car security, we were able to expose vulnerabilities in both cars. In such an expensive and high-risk product, this isn't good enough.
VW told us none of our findings pose 'any direct risk for the driver or passengers'. It also said that many of our scenarios require access to the vehicle and 'very high effort'. Adding that it does security-test its cars and 'findings are managed appropriately on a risk-based approach'.
Ford said it takes 'cybersecurity seriously by consistently working to mitigate the risk'. It declined the offer of our technical report.
It wouldn't reveal the testing its systems go through, but said it meets voluntary standards, such as those set by security organisation Thatchams and the emerging United Nations framework.
The Department for Transport, which set up the Centre for Connected and Autonomous Vehicles (CCAV) in 2015, told us: 'Connected vehicles present major opportunities for road safety, traffic management and a range of innovative industries across the UK. Safety is paramount and that's why we are investing more than £250m in safe testing and cyber resilience.'
The DVSA, the government organisation responsible for car safety, declined to provide a comment for publication.