Consumer reviewer Which? finds CAN bus ports on Ford and VW, starts yelling 'Security! We have a problem...'

Spoiler: It found a tyre pressure sensor and a Wi-Fi password


Modern connected cars contain security threats, consumer org Which? has said after commissioning analyses of two models, a Ford and a Volkswagen.

While Which?'s insistence that the flaws are "serious" is perhaps wide of the mark, the research does highlight the lack of robust security features protecting CAN buses and in-vehicle infotainment (IVI) from malicious people.

Researchers from Context Information Security were able to find their way into two cars' infotainment units, the dash-mounted screen that displays everything from car information to GPS-based moving maps to your favourite radio station or motorway playlist.

"While the cars proved more difficult to hack into than many connected products, Context researchers managed to find weaknesses in the cars' security designs and were even able to identify what is suspected to be a Wi-Fi password from Ford's manufacturing plant," said Context in a separate statement from Which's one.

The Ford model it looked at was a Focus Titanium Automatic 1.0L petrol model, while the VW was a Polo SEL TSI Manual 1.0L, also the petrol-powered variant.

Context found that "simply lifting the VW badge on the front of the car gave access to the front radar module, which could potentially allow a hacker to tamper with the collision-warning system." That is, someone malicious could pull the radar sensor out.

Ian Tabor, a security-focused network architect who runs Car Hacking Village UK, told The Register: "The access to the ADAS radar system wiring could potentially give access to the CAN network that controls the security of the vehicle depending on how the CAN networks are segregated, not just affect the collision warning system."

Seeing as the VW is not a Tesla and is not marketed as having an "autopilot" that helps you drive, disabling the radar transceiver reduces safety back to the level of older cars, driven (mostly) successfully by qualified humans who watch the road ahead. Nonetheless, a criminal with time, knowledge and physical access to the target network (the car) is a very real infosec threat.

aircraft

Hack a small airplane? Yes, we CAN (bus) – once we physically break into one, get at its wiring, plug in evil kit...

READ MORE

Meanwhile, Context's bods were also probing the Ford's CAN bus and items connected to it. Its IVI was "connected to three separate buses, including the powertrain," which the researchers said "could potentially give access to engine controls."

Both cars' wireless key locking systems were vulnerable to relay and replay attacks, a well-known problem gleefully exploited by car thieves and largely ignored by industry despite having been a known issue for years.

Remarking on what the study did not appear to have looked at, Tabor commented: "There is no mention of the EU mandated E-Call system that could potentially be tracking the vehicle at all times?"

Nonetheless, Context did say it had found what looked very much like a Ford factory Wi-Fi password saved in that car's IVI, presumably from factory testing.

Inevitably, Which", which describes itself as a "consumer champion" demanded more "regulations" on CAN bus security to reduce what it claimed was "the risk, both to financial and to human life." It is unclear exactly how Which? reached that conclusion, with its study not detailing any direct interference with safety-critical systems it was able to achieve. At most it was able to suggest that tyre pressure sensors could indicate a flat tyre was fully pumped up.

Most drivers are probably capable of noticing if one or more tyres is flat or running on the wheel rim, El Reg suggests, knowing full well commenters will now flood the comments section with Police! Camera! Action! clips to prove us wrong.

Previous infosec research directed at cars has made similar findings over the years.

Nonetheless, Which won't have endeared itself to either the security or automotive industries. VW denied to ITV that compromising the IVI could lead to control over safety-critical systems, while Ford reportedly refused to accept delivery of the Which? report at all. ®

Carnote

In a thoughtful gesture, car hacker chap Tabor gave us his top tips for connected car security:

  1. Wiping data from the vehicle IVI may only delete the data from the frontend; the data still may be in the car's internal database.
  2. Revoke access when selling your car. This may require going through the manufacturer's website. You may again also want to delete any data from the website so that data isn't available to the next user or the manufacturer.
  3. Resellers of used cars should also check the previous owner has removed their data, whether the reseller is a main dealer, auction, small reseller or private seller.
  4. When renting or leasing just don't connect your car to Bluetooth devices without checking what data is being transmitted and how you can access it to wipe it from the car later on.
  5. Never set home/work in the car's GPS. If you lose your keys or criminals steal them and pinch the car too, they could then find your house or workplace for a followup burglary.
  6. Check the Onboard Diagnostics 2 (OBD2) port for tracking devices if you're worried about your physical security.

Biting the hand that feeds IT © 1998–2020