Popular connected cars from Ford and Volkswagen could put your security, privacy and safety at risk, Which? finds

Best-selling Ford and Volkswagen cars have serious security flaws which could allow them to be hacked – putting motorists’ personal data and even safety at risk, a Which? investigation has found.

The consumer champion worked with cyber-security experts to thoroughly examine the computer systems behind the connected tech features of the Ford Focus Titanium Automatic 1.0L petrol and a Volkswagen Polo SEL TSI Manual 1.0L petrol – the latest models of two of the most popular cars in Europe.

The results confirmed Which?’s fears that a lack of any meaningful regulation for on-board tech in the motor industry allows manufacturers to be careless with security. While the Focus and Polo were chosen as two of the best-sellers on the market, Which? is concerned that these issues could be widespread throughout the industry.

Which?, with testing partner Context Information Security, was able to hack the Infotainment unit in the Volkswagen Polo, part of the car’s ‘central nervous system’.

The vulnerability was found in a section of the car that can enable or disable traction control – a feature that helps drivers to control the vehicle. The infotainment unit also holds a wealth of personal data, such as people’s phone contacts or location history.

The researchers were also concerned that simply lifting the VW badge on the front of the car gave access to the front radar module, which could potentially allow a hacker to tamper with the collision-warning system.

Using basic equipment, the experts were able to intercept messages sent by the tyre pressure monitoring system on the Focus, making it possible that an attacker could trick the system to display that flat tyres were fully-inflated and vice versa – posing a safety risk.

When Which?’s experts examined the Ford’s code, they were stunned to find it also included wifi details and a password that appeared to be for the computer systems on Ford’s production line. A scan to locate where the network was based confirmed it was at the Ford assembly plant in Detroit, Michigan.

The investigation also raised concerns about how much data cars are generating about their owners and how this information is being stored, shared and used.

The Ford Pass app means the vehicle’s location and travel direction are permitted to be shared at any time, as well as data from the car’s sensors, including warning lights, fluid levels and fuel consumption.

Ford even tracks ‘driving characteristics’, such as speed, acceleration, braking and steering. Its privacy policy states that it can share this information with its ‘authorised dealers and our affiliates’.

The VW app, We Connect, requested a wide range of permissions, including access to ‘confidential information’ in people’s calendar and the contents of USB storage. Its privacy policy states that VW collects data when you use the app – but that it only shares it with third parties when it’s ‘necessary for the purpose of performing a contractual obligation’.

Ford declined to receive Which?’s technical report. Which? believes this shows a worrying disregard for possible issues relating to its customers’ security and safety, but Volkswagen has engaged positively with Which? since the findings were shared.

Which? is concerned that the risk, both financial and to human life, is significant if the serious security vulnerabilities that were found are left unchecked. While there are stringent regulations and standards for car crash safety and exhaust emissions, the same scrutiny isn’t applied to the vital computer systems that run people’s cars. Various bodies, including the UN, are working on a regulation which is planned for 2021 but is only voluntary.

Lisa Barber, Editor of Which? Magazine, said:

“Most cars now contain powerful computer systems, yet a glaring lack of regulation of these systems means they could be left wide open to attack by hackers – putting drivers’ safety and personal data at risk.

“The government should be working to ensure that appropriate security is built into the design of cars and put an end to a deeply flawed system of manufacturers marking their own homework on tech security.”

Top tips for consumers securing your car’s data – second-hand / rentals  

During the investigation, Which? bought an additional VW infotainment unit from eBay that was identical to the one in the Polo. In the process Which? realised there was a large quantity of information on the previous owner, including their phone contacts, their home location – even their home wi-fi details and password.

If you’re buying second-hand, make sure the previous owner deletes their information and also revokes their access rights. The latter is particularly important, as otherwise they could still locate or even unlock the car after selling it. Advice follows below and here is Which?’s video explainer that is available for use: https://youtu.be/e6gmBAn3r00

  1. Wipe your data

If you are selling your connected car and don’t want to leave your data exposed, go to your car’s infotainment unit and look in the Settings menu for controls to erase your account and data. It’s a bit like restoring a phone to factory settings. Check your manual if you can’t find it easily on the unit itself. When you drive it to the dealer, don’t reconnect your smartphone to the car, as otherwise you’ll leave trace information that hasn’t been deleted.

  1. Revoke access

Deleting the car’s app from your phone won’t be enough to remove your access. You need to break the link between you and the vehicle. Again, you’ll need physical access to the infotainment system in order to trigger the master reset key. Follow the instructions on the unit or check the manual to ensure your access is completely revoked before you sell it to the new owner.

  1. Buying a used car

Just as you think about mileage, service history and state of repair when buying a used car, you should also think about data. When buying a car second-hand from a dealer or private seller, ask for evidence that all data has been removed and access rights revoked. Then you won’t have to worry that the previous owner can still track, unlock or even drive away with your new car.

  1. Renting, leasing and car clubs

Chances are that you have plugged in your phone in a rental and seen data on people who’ve used it. So be wary of connecting your phone to a rental or a vehicle from a car club. It’s better to just use the infotainment unit, or solely rely on your smartphone.

Notes to editors

  • A Ford Focus Titanium Automatic 1.0L petrol and a Volkswagen Polo SEL TSI Manual 1.0L petrol were tested. Both were chosen as they are among the most popular cars across Europe.

  • Security experts Context Information Security carried out the tests to see whether the cars could be hacked.

Further background on the research and how connected cars work

  • The car’s ‘nervous system’ refers to the Controller Area Network (CAN). Every connected car has a CAN – a series of cables that are threaded throughout the vehicle. Each CAN acts like the body’s nervous system, ferrying messages to different systems.

  • The car’s ‘brain’ refers to the central gateway which links all of the CAN systems together. The gateway module is responsible for forwarding specific messages from one network to another.

  • The tyres on the Ford Focus, like many other cars’ tyres, are fitted with a tyre-pressure monitoring system (TPMS). Which? found that the Ford Focus’s TPMS works by assigning an ID to each tyre. Using a cheap laptop and a £25 gadget bought from Amazon, Which? was able to intercept the messages being sent from the tyres to the car’s brain.

  • Someone could also intercept messages sent from the tyres to the car’s ‘brain’ to track the driver’s journey around town.

  • Using the Ford Pass app means you agree to share the vehicle’s location and travel direction at any time, as well as data from the car’s sensors, including warning lights, fluid levels, fuel consumption, tyre pressure, vehicle diagnostics and odometer.

  • The VW’s app, We Connect, requested a wide range of permissions, including access to ‘confidential information’ in people’s calendar, the contents of USB storage and the smartphone’s torch.

Rights of reply

Ford 

  • Which? offered to share its full reports with both manufacturers so they could address the issues uncovered. Ford refused the offer.

  • Ford declined to comment on the infotainment system findings.

  • Ford said the TPMS has a very short transmission range ‘unless easily visible auxiliary antennas are constructed’. It also said the technology isn’t unique to Ford and there is no ‘known industry issue with it’.

  • Ford said: ‘Customer data is used for valued connected services, such as live traffic, in accordance with published policy.’ Ford said in its response that ‘In Europe, connected vehicle data, for example location and driver behaviour data, may only be shared with authorised dealers where we have communicated this clearly to our customers and have an appropriate legal basis in place, such as customer consent. Where we rely on customer consent, the customer has the right to withdraw that consent at any time.’

  • Ford said that as Which? hadn’t actually connected to the wi-fi network – and the research team did not connect as it didn’t have permission to do so – it would not comment on a ‘hypothetical outcome’. It refused to discuss the matter further.

  • Ford said it takes ‘cybersecurity seriously by consistently working to mitigate the risk’ – despite declining the offer of Which?’s technical report. It wouldn’t reveal the testing its systems go through, but said it meets voluntary standards, such as those set by security organisation Thatchams and the emerging United Nations framework.

Volkswagen

  • Which? offered to share its full reports with both manufacturers so they could address the issues we uncovered. Volkswagen engaged positively throughout the process.

  • VW told Which? that the infotainment system is in a ‘separate domain of the vehicle and it is not possible to influence other critical control units unnoticed’. However, VW has agreed to analyse Which?’s findings with its infotainment system supplier.

  • VW said that it only processes customer data, including for marketing purposes, based on ‘customer consent’. It said that all the app permissions Which? flagged are justified by functions of the app.

  • VW said it didn’t feel it was necessary to encrypt infotainment data and firmware on its website, but would consider reducing the more extensive information available via the car in ‘future systems’. Which? told VW these should be replaced by modern or secure alternatives, but it claimed it already checks for vulnerabilities.

  • VW told Which? none of the findings pose ‘any direct risk for the driver or passengers’. It also said that many of Which?’s scenarios require access to the vehicle and ‘very high effort’. Adding that it does security-test its cars and ‘findings are managed appropriately on a risk-based approach’.

Press Release