Researchers Unveil Critical Cyber-Security Flaws in Ford and VW Cars
Cybersecurity experts teamed up with the consumer advocacy group Which? to uncover major security flaws in Ford Focus and VW Polo cars, raising concerns about their safety, privacy, and overall security.
The Which? report highlights significant cybersecurity issues in connected cars, emphasizing the need for stricter regulations. The study, conducted by Context Information Security at Which?’s request, found severe security, data privacy, and safety problems in two popular European car models.
Researchers examined the Ford Focus Titanium automatic 1.0L petrol and the Volkswagen Polo SEL TSI manual 1.0L petrol. Both models are equipped with cutting-edge consumer car technology. Although these cars were harder to hack than many other connected devices, Context researchers still uncovered weaknesses in their security designs. They even found what they believe to be a Wi-Fi password from a Ford manufacturing plant.
The research focused on various car systems including the infotainment systems, mobile apps, radio frequency systems (like key fobs for entry and ignition), and tire pressure monitoring systems. They also examined the Controller Area Network (CAN) used for communication between different vehicle parts.
For both cars, the researchers found common issues in the firmware of their infotainment systems, such as outdated third-party software libraries and unsafe native code functions. While both systems used electronic signatures to prevent unauthorized code additions, the VW system could be bypassed. The firmware for Ford’s infotainment system exposed full Wi-Fi network credentials used in multiple assembly plants.
When looking at the CAN bus networks, the research showed that Ford uses separate CAN buses with good logical data separation. However, the infotainment unit (Sync) was connected to three separate buses, including the powertrain, meaning an attack on the infotainment unit could potentially access engine controls.
VW’s setup was less secure, with five CAN buses and weaker separation. Notably, one bus could be accessed from outside the car via the radar module located behind the VW logo, which could be removed easily with a screwdriver.
For the remote-control key fobs, researchers monitored common radio frequencies to identify the signal for the VW, suggesting the manufacturer doesn’t consider the locking system a significant target. They found that it’s possible to block the signal, essentially locking the user out, or to capture and replay signals to gain entry later.
The Ford uses a more advanced passive key system with two-way communication between the fob and the car, allowing access without pressing a button if the user is nearby. However, the security was still minimal. Attacks that blocked the key fob’s signals, preventing engine start-up, were also relatively simple to execute using commercial equipment costing under £200.
After the investigation, Which? informed both Ford and VW of the issues. VW accepted the findings and has worked with Which? and Context to understand the problems. Ford, however, has not yet accepted the technical report from Context.
Perry Barlow, project lead, noted, “While it’s comforting that connected cars aren’t as insecure as many other connected devices we’ve tested, our findings reveal serious concerns.”
