Ford and VW’s top selling cars can be hacked

A British consumer magazine is accusing the manufacturers of two of the most popular vehicles in Europe of being careless with the digital security of their cars’ connected features.

According to a study by Which?, the Ford Focus Titanium Automatic 1.0L petrol and the Volkswagen Polo SEL TSI Manual 1.0L petrol have numerous security vulnerabilities that can expose sensitive personal data of the vehicles’ owners.

[Read: Remembering the Nucleon, Ford’s 1958 nuclear-powered concept car that never was]

Working with cyber security firm Context Information Security, researchers were able to hack the infotainment system of the VW to reveal personal data including phone numbers, saved addresses, and navigation history.

What’s more, the vulnerability was found in a part of the vehicle’s computer system that can enable and disable traction control — a crucial safety feature when driving on slippy roads.

VW told Which? that the infotainment system is separated from other crucial vehicle systems and is not able to influence them without going unnoticed. The German automaker is now reviewing Which?’s technical findings.

Potentially dangerous hacks

When it came to the Ford, researchers were able to hack the car’s tire pressure monitoring system (TPMS) to intercept and spoof messages from the sensors. In malicious cases, this could allow hackers to tell the car’s main computer that tires are correctly inflated when they’re not — potentially putting passengers in danger.

The most worrying part is that the researchers managed to do this using a “cheap laptop and a £25 gadget” from Amazon. It’s also possible that researchers could use this hack to track a vehicle’s journey.

In response to Which?’s findings, Ford said the TPMS has a very short transmission range. In other words, anyone hacking it would have to be close to the vehicle, and remain close to conduct any kind of security breach.

The American marque added that the technology isn’t unique to Ford and there is no ‘known industry issue with it’.

Be aware of connected apps

The study also raised a number of concerns over the vehicles’ “connected” apps. These apps are typically used to control features of the car, but they also gather data at a worrying rate.

According to Which?, Ford’s Pass app can share the vehicle’s location and travel direction at any time. Ford also gathers data about a vehicle’s “driving characteristics,” such as speed, acceleration, braking, and steering. Ford’s privacy policy states that it could share this information with its “authorized dealers and affiliates.”

VW’s We Connect app is just as concerning. When installing the app, users must grant permissions for access to potentially sensitive information, including calendars and USB storage. The German marque says it only shares data with third parties when it has to for contractual obligations, whatever that means.

Should we worry?

It should be noted that only two vehicles were tested. However, given that components are shared across entire ranges of vehicles, it’s realistic that these vulnerabilities exist in multiple vehicles in the manufacturer’s lineup.

There are a couple of caveats, though. Many of Which?’s hacks required direct access to the vehicle and a sizeable amount of effort. So it’s unrealistic that anyone would fall foul of these vulnerabilities in the real world, but they have highlighted some important considerations when owning a highly “connected” vehicle.

The most important takeaway is to make sure you delete personal data from your vehicle’s infotainment systems when you sell it. Make sure to revoke access between your car and its app if you want it to stop sharing collected data. Also, be extremely cautious when connecting your phone to a rented or car share vehicle.

Given how shared vehicles are on the increase, it’s worth knowing that cars and connected apps are gathering data about drivers. As cars become even more advanced, with all kinds of sensors and computers, security vulnerabilities aren’t likely to go away anytime soon.