On April 9, 2020, an investigation found that the most popular connected cars in Europe from Ford and Volkswagen still have serious flaws that can “put your security, privacy and even your safety at risk”. The cars were sent to security experts Context Information Security to see whether or not they could be hacked.
This article recalls that strict standards inherent to the safety criteria are needed in the case of a car accident or in the case of exhaust emissions, “but the same scrutiny isn’t applied to the vital computer systems that run our cars”. Indeed, currently there are no regulations or mandatory standards in cybersecurity for connected cars.
“Various bodies, including the UN, are working on a voluntary regulation, but this won’t come into force until 2021 at the very earliest”.
The investigation showed that there are serious issues about security and safety risk. For example, during tests phases, the investigators were able to access some CAN of one of the cars. The investigation recalled “modern cars are controlled by internal nerve systems called Controller Area Networks (CAN). Each CAN carries different signals around the vehicle to control aspects such as steering, braking and entertainment”.
“We found a unique vulnerability in how software updates are delivered to the infotainment unit and we were able to use this to hack it. Our working proof of concept enabled us to tamper with the unit, something that shouldn’t be possible with effective security safeguards”.
Another issue concerned the sensors, which can have various important roles (such as evaluate the fuel level or tire pressure). They were able through “using basic equipment (…) to intercept the messages being sent from the tyres to the car brain”.
Regarding privacy, connected cars collect a large amount of private data and some users do not even know what kind of data is collected or what happens to this data. For example, “using the Ford Pass app means you agree to share a wide variety of data, including your vehicle’s location and travel direction, at any time. Ford will even track your ‘driving characteristics’, such as your speed, acceleration, braking and steering. Its privacy policy states that it can share this information with its ‘authorized dealers and our affiliates’”.
The process called “vulnerability disclosure” was respected, since those who led the investigation offered to share the full reports with the two manufacturers. The objective being that the manufacturers can fix the issues discovered by the testers.
Finally, this investigation claimed that despite investments to improve vehicle security, there are still many flaws in this area. Particularly from the cybersecurity perspective, where some regulatory problems still persist.
Source: https://www.which.co.uk/news/2020/04/we-hacked-a-ford-focus-and-a-volkswagen-polo/