Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Ford's 400,000-car recall could be the tip of an auto security iceberg

‘Needed’ OTA updates bring their own ‘security challenges’

Ford’s recall of more than 400,000 cars in North America to fix a software bug may be just the first of many for the motor industry as automobiles become increasingly complex, security researchers warn.

As previously reported, a total of 433,000 2015 Focus, C-MAX and Escape cars are being recalled to dealerships for a software update as a result of the snafu – which means drivers may not be able to turn off engines on some of the latest vehicles, even if they remove the ignition key – as a notice by the car maker explains.

Dealers will update the body control module software at no cost to the customer, Ford promises.

Ken Munro, a director at security consultancy Pen Test Partners, and a security researcher who has investigated aspects of electronic car insecurity, told El Reg that updates of this type will become more commonplace as car makers pack more and more complicated electronics into vehicles.

“The recent recall by Ford involving the engine failing to stop underlines the increasing need for over-the-air (OTA) software updates,” Munro explained.

“As manufacturers cram more software into cars, the potential for more security and functionality bugs increases. More bugs = more recalls, which will be a pain for customers and expensive for manufacturers as cars have to go to service centres for patching,” he added.

Higher end vehicles are increasingly featuring Wi-Fi and GSM connectivity. Tesla allows updates to be rolled out when the car is parked at home in Wi-Fi range, although such updates potentially create an even bigger security update, Munro warned.

“OTA [over the air] updating brings its own security challenges,” Munro said. “Pushing a rogue update to a vehicle should be technically challenging, but we all know that breaches never happen, right... Who has the digital signing keys for updates? Pinch those and you have one of many potential attack vectors.”

“Quality assurance needs to be excellent too; imagine a duff update going out that bricks your vehicle or, worse, causes safety issues. It’s one matter updating the sat-nav database, but another altogether updating the ABS [Anti-lock braking system] software. Can you see the insurance claim? ‘It wasn’t me that crashed the car, it was rogue software that caused it’,” Munro concluded.

Further security related commentary on the Ford software update recall can be found in a post by Graham Cluley on the ESET WeLiveSecurity blog. Cluley notes that Ford’s update is far from unprecedented and is, if anything, the shape of things to come.

For example, BMW was obliged to roll out a patch for a security flaw back in January in order to guard against the possibility that hackers might be able to open the doors of some 2.2 million potentially vulnerable vehicles.

“Cars which are capable of receiving instructions via the internet (such as software updates) are potentially more at risk of being hacked or meddled with than those which don’t,” warned Cluley.®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like