Ford and Volkswagen smart cars may come with some major security risks

(Image credit: Shutterstock)

A new report from the independent consumer body Which? has discovered serious security flaws in best-selling connected cars from Ford and Volkswagen which could allow them to be hacked.

The organization worked closely with cybersecurity experts to examine the computer systems that power the connected features of two of the most popular cars in Europe, the Ford Focus Titanium Automatic 1.0L petrol and the Volkswagen Polo SEL TSI Manual 1.0L petrol.

The results of the investigation confirmed fears that a lack of regulation for on-board tech in the automotive industry allows manufacturers to cut corners when it comes to security. While the organization looked at two popular connected car models from Ford and Volkswagen, it is concerned that similar issues could be widespread throughout the industry.

Through its work with testing partner Context Information Security, Which? was able to hack into the infotainment unit of the Volkswagen Polo that serves as part of the car's central nervous system. The vulnerability was discovered in a section of the vehicle that can enable or disable traction control but the infotainment unit also contains a wealth of personal data including users' phone contacts and location history.

When it came to the Ford Focus Titanium Automatic, the experts were able to intercept messages sent by the tire pressure monitoring system using basic equipment and an attacker could potentially trick the system to display that flat tires were fully-inflated which poses a security risk. By examining Ford's code, Which? Found that it also included WiFi details along with a password for the computer systems on Ford's production line.

Connected car apps

Which?'s investigation also raised concerns regarding how much data connected cars are generating about their owners and how this information is stored, shared and used.

The Ford Pass app allows a vehicle's location and travel direction to be shared at any time along with data from the car's sensors including its warning lights, fluid levels and fuel consumption. The automaker even tracks “driving characteristics” such as speed, acceleration, braking and steering and according to Ford's privacy policy, this information can be shared with “authorized dealers and or affiliates”.

Volkswagen's We Connect app was found to request a wide range of permissions including access to “confidential information” in users' calendars and the contents of USB storage. The company's privacy policy says that its app collects data when people use it but that this data is only shared with third parties when it is “necessary for the purpose of performing a contractual obligation”.

While Ford declined to receive Which?'s technical report, Volkswagen has engaged with the consumer body since the findings were shared.

Editor of Which? Magazine, Lisa Barber provider further insight on the investigation's findings in a press release, saying:

“Most cars now contain powerful computer systems, yet a glaring lack of regulation of these systems means they could be left wide open to attack by hackers - putting drivers’ safety and personal data at risk. The government should be working to ensure that appropriate security is built into the design of cars and put an end to a deeply flawed system of manufacturers marking their own homework on tech security."

Via Which?

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.