Ford and VW Cars Open to Hackers, Research Claims

Cyber-security researchers are claiming some current connected Ford and Volkswagen vehicles are easy targets for malicious hackers.

The report researched by cyber consultancy Context Information Security and published by consumer magazine Which?, claims to have identified serious security, data privacy and safety concerns in the leading car brands. Investigators looked at the Ford Focus Titanium Automatic 1.0-liter and a Volkswagen Polo SEL TSI Manual 1.0-liter which are both packed with some of the latest consumer car technology.

While admitting the cars proved more difficult to hack into than many other connected products, researchers says they managed to find weaknesses in the cars’ security designs and were even able to identify what is suspected to be a Wi-Fi password from Ford’s manufacturing plant.

They focused on infotainment systems, mobile applications, radio frequency systems – such as keys fobs for entry and ignition, and tire pressure monitoring systems – as well as the Controller Area Network (CAN) used for communications between different vehicle components.

Key findings claimed by researchers include discovering that firmware on each of the two cars’ infotainment systems suffered from common issues such as outdated third-party software libraries and unsafe native code functions. Despite both systems employing the use of electronic signatures to prevent unauthorized adding of custom code, researchers claim it was possible to work around these on the VW system. The firmware for the Ford’s infotainment system, meanwhile, revealed full details of Wi-Fi network credentials that appears to be used at a number of its assembly plants.

Control of powertrain risk

As to the CAN bus networks of the cars, The Ford employs separate CAN buses with good logical data separation between those used for different purposes, however, the infotainment (SYNC) unit was found to be connected to three separate buses, including the powertrain. This means that any successful attack on the infotainment unit could potentially give access to engine controls. The VW has five CAN buses with less well-thought-out separation. One bus is readily accessible from outside of the vehicle via the radar module, located behind the VW logo and can easily be removed with a screwdriver.

When it came to radio frequency systems, researchers looked at both of the cars’ remote-control key fobs. By monitoring typical radio frequencies used to broadcast keys to vehicles, the signal to the VW was able to be identified, without decoding, which suggests that the manufacturer doesn’t view the locking system as a significant target. Further investigation revealed the ability to both prevent reception of the signal by the car, essentially locking the user out, and to capture and replay signals, to gain entry later.

The Ford uses a more advanced ‘passive key’ with two-way communication between fob and car, allowing the user access without having to press a button, as long as they are nearby. This kind of system is increasingly found on modern cars and is the subject of well published Relay Attacks. Again, minimal security was found on the transmissions from the key and prevention of the start up ignition was possible, by blocking active signals from the key fob for authorization. Both attacks were relatively straightforward and could be undertaken using off-the-shelf commercial equipment for under £200.

Following the investigation, Which? contacted both Ford and VW to let them know about the security problems identified. Andrew Laughlin, Which? principle researcher, said: “The UK government is working on new legislation for connected cameras, toys and other products with poor security standards. Yet it appears that the car industry has largely been left to create effective security measures on its own. That’s a risky approach.”

— Paul Myles is a seasoned automotive journalist based in London. Follow him on Twitter @Paulmyles_