Vehicle cybersecurity still lacking: Ford Focus and Volkswagen Polo

Vehicles are becoming increasingly connected and complicated. The modules/equipment in the vehicle along with the connectivity makes the newer vehicles targets with many attack vectors. With these advances, the consumer would think cybersecurity would be the first thing on the engineer’s mind. Unfortunately, this is not always the case. It is likewise notable, there are many laws and statutes directed at the vehicles for emissions and other aspects of the vehicle. While these are indeed needed, there are no laws focused on the cybersecurity applied to vehicles. There is a handful of these in the works, however, at this stage, these are more voluntary and may be presented as more of a standard versus legislative action.

Successful breach

While these are noteworthy, generally, if an automobile the manufacturer does not have to or is strongly encouraged to, it is difficult to get the issue resolved and feature in the vehicle. A recent case in point involved a For Focus Titanium Automatic 1.0L and a Volkswagen Polo SEL TSI Manual 1.0L. These are both gas-powered vehicles and are very popular in Europe.

Researchers at Context Information Security were tasked with conducting a pentest of sorts on these two vehicles.

The research indicated there were rather serious cybersecurity flaws with the test vehicles. The researchers have reported these and are waiting until providing their test to the public as part of the responsible vulnerability disclosure process. This provides the manufactures time to correct or mitigate the issue, prior to sending the vulnerability, and how to attack it to anyone who has an internet connection.

Researcher’s attacks generalized

While the specifics are not available, the researchers did release general information regarding their successful attacks. As a recap, the subject vehicles, and nearly all others at this point use the Controller Area Network (CAN) to communicate between the modules in each vehicle. These communications are relevant for tire pressure, driving controls, braking, steering, etc. If this is successfully attacked, the driver and passengers assuredly are going to have a bad day. This area was one where the researchers were able to successfully access the Polo.

There was also another vulnerability with OTA (over the air) updates. The vehicles have a number of computers and programs located with the vehicle’s system. These at times need to be updated. Think of it like when you turn off your computer and the system warns you there are patches that need to be uploaded for your system. To have the owners all make appointments to drive their vehicles in every time there is an update is not a workable solution and would halt any work that would need to be done in the repair/maintenance portion of the garages at the dealerships. The researchers were able to tamper with these updates, thus adding the malicious functionality of changing the official update to whatever they would want.

The researchers also found a vulnerability with the infotainment unit in the vehicle. This, when successfully attacked, would enable or disable the vehicle’s traction control, tamper with the headlights, and holds a large amount of personal data (e.g. phone contacts, and location history). This attack was accomplished with a simple command. For this attack, the researchers or bad actors would need to have physical access. While this is a hurdle, it is not impossible, especially since this would only take approximately five minutes.

There were other tests done, with mixed results.

The researchers, curiously, were able to find the Wi-Fi credentials that apparently were for the computer systems on the Ford production line. This is a rather significant and truly bad thing to have that easily accessible.

Resources

Chllingsworth, L. (2020, April 15). Which? Identifies security risk in these road vehicles as hackers may steal your data. Retrieved from https://www.express.co.uk/life-style/cars/1269260/which-ford-volkswagen-car-security-safety-hackers-crime

Forrester, N. (2020, April 15). Latest ford and Volkswagen smart cars pose ‘serious’ privacy and security risk. Retrieved from https://securitybrief.asia/story/latest-ford-and-volkswagen-smart-cars-pose-serious-privacy-and-security-risk

Hull, R. (2020, April 8). Popular ford and vw cars found to have ‘serious security flaws’ with their connected systems putting personal data and safety at risk. Retrieved from https://www.thisismoney.co.uk/money/cars/article-8201733/Popular-Fords-VWs-security-flaws-connected-tech.html

Laughlin, A. (2020, April 9). We hacked ford focus and a volkswagen polo. Retrieved from https://www.which.co.uk/news/2020/04/we-hacked-a-ford-focus-and-a-volkswagen-polo/

Newsquest Digital Content Team. (2020, April). Ford and vw cars exposed to hackers after ‘serious’ security flaws. Retrieved from https://www.worcesternews.co.uk/news/regional/18389786.ford-vw-cars-exposed-hackers-serious-security-flaws/ and https://www.yorkpress.co.uk/news/national/uk_today/18378273.ford-vw-cars-exposed-hackers-serious-security-flaws/

Thomas, P. (2020, April 10). Popular ford and vw cars found to have ‘serious security flaws’ with their connected systems putting personal data and safety at risk. Retrieved from https://www.iaati.org/news/entry/popular-ford-and-vw-cars-found-to-have-serious-security-flaws-with-their-co