Focus key security vulnerability featured in Which magazine - not great!

[StephenFord]

In my latest edition of Which magazine, the Focus security system is given a right going over by Which magazine. Makes me grateful I own a 15 year old one with an old fashioned key, and a DiskLok for whenever I park somewhere a bit unsavory! LOL

As a child of the 60s, I was raised on the original Start Trek, and could never understand why prisoners put in the ships brig were always 'locked in' by a force field, which they always overrode by hacking the control panel to escape. I knew if they had simple bars & locks it would solve the problem!

 

 

 

 

[apt]

"We hacked a Ford Focus....", "....serious flaws.....that could put your security, privacy and even safety at risk" - A clickbait headline in printed form.

The cars were purchased in 2019 and were sent to security experts but it doesn't state how long the cars were in their posession; a day, a week, a month, 6 months???

"It was possible to access a CANbus on the Polo.......We were unable to get a similar attack to work on the Ford Focus's Infotainment unit within the time we had for our tests"  "In the view of our security experts it isn't good practice for safety critical systems to be connected to the infotainment unit. If the unit was compromised then in theory the more critcal systems could be too"   They failed to compromise the unit.

"All CAN access points are tricky to reach on the Ford"

Regarding access to the Polo's front radar unit "While we were unable to create a proof of concept in the time allocated to our testing, we were concerned that such access could enable someone to tamper with the radar module"  They failed to create a proof of concept

"The tyres on the Ford Focus......are fitted with a tyre-pressure monitoring system........we were able to intercept the messages being sent from the tyres to the car's brain...........Someone could use this information to track your journey around town"  The laptop and cheap gadget (probably an RTL-SDR dongle and the rtl_433 software) would need to be in the vicinity of the car to receive continuous messages if the car was on the move so the laptop, dongle and software would be an unneccessary expense, just tail the car instead!!!

"We were also concerned that it could be used to spoof information being sent from the tyres to the car. Although we couldn't get a working proof of concept, we believe an attacker could use this to pretend ftat tyres were fully inflated, and vice versa"  They failed to create a proof of conecpt.

"Something more concerning came up with the Focus. While analysing the infotainment unit's firmware we found a set of wi-fi credentials that appeared to be for the computer systems on Ford's production line........Detroit, Michigan"  Probably the network for setting up and testing the onboard Sync system while on the production line. I very much doubt that anything sinister can be achieved by connecting to this network but hey if you're ever right outside the assembly line in Michigan you could connect and have a look but then you probably already work for Ford and would more than likely know about the wi-fi network used and may already have login credentials anyway.

It seems to be an article woth lots of words and nothing of real substance, with the exception of keyless security which is old news and affects most if not all all keyfree systems.

[Stoney871]

Just a magazine filling space as usual.
All useless twaddle tbh.

Put a monkey in a cage with your cellphone and he'll accidentally call your mum at some point, doesn't mean he understands the technology - just that he got lucky with random button presses.

Some scrot at the side of a road won't be interested in fartin' around with your tpms, all he wants is quick access and away with the car or whatever is sat on the back seat.

Sent from my SM-G965F using Tapatalk

[Mark-UK]

Agree this is all twaddle, when my 2019 focus got broken into they didn't use and sort of device to circumvent the keyless entry system, a brick through the window did the job.

[StephenFord]

So, let me get this straight. 'Keyless' entry for cars is totally safe, scumbags still use the old fashioned method of chucking a brick through the window, and car manufacturers are on top of their game protecting your £30k investment? LOL Excellent news, we can all sleep safely now 🤣

[alexp999]

I think the article clearly shows that even a brick through the window and access to the cars systems (while the alarm is going off) they were unable to hack the car. So yeah pretty safe. 
 

Definitely safer than when barrels could be forced or the ignition circuit hotwired. 

[Guy Heaton]

It's a still the case that you can never make anything completely safe, house, car etc.

What you can do is make it as difficult as possible for it to be broken into so it's not worth the risk.

Of course this sometimes moves the risk onwards, thieves won't take the time to hack your car, they'll break into the house for the keys.

[pragmatix]

If they want it they will get it.

[Botus]

there is a serious security flaw...  and its not news, hoddies knew this 2 years ago....

virtually all keyless cars suffer from it.  in last 18 months most manufacturers partially fixed with a key that goes to sleep meaning the hoddie needs to grab your code within five minutes of the key being still....  rather than any time he wants during the night, but he can get it any time he wants when you're out and about,

you can buy later keys from your dealer for 70 quid that fall asleep for the focus (they've been out for at least 8 months)

most current range rovers don't have theft insurance, as you can code a key in 10 seconds and drive off as if you own it so long as you can get to the obdc socket... its 40 seconds on a VAG car once you get in the boot first to trigger something then connect to the obdc….  on a BMW most sensible owners buy a fake and screw it in place leaving the real wires behind the trim..  pre 2012 it takes 2 minutes to code a blank key, later BMWs need 12 minutes

[alexp999]

13 minutes ago, Botus said:

there is a serious security flaw...  and its not news everyone knew this 2 years ago....

virtually all keyless cars suffer from it.  in last 18 months most manufacturers partially fixed with a key that goes to sleep meaning the hoddie needs to grab your code within five minutes of the key being still....  rather than any time he wants during the night, but he can get it any time he wants when you're out and about,

you can buy later keys from your dealer for 70 quid that fall asleep for the focus (they've been out for at least 8 months)

most current range rovers don't have theft insurance, as you can code a key in 10 seconds and drive off as if you own it so long as you can get to the obdc socket... and 40 seconds on a VAG car, if you get in the boot first to trigger something then connect to the obdc….  on a BMW most sensible owners buy a fake and screw it in place leaving the real wires behind the trim..

The Focus mk4 featured in the magazine article already has the sleepy keys. 

[Botus]

Oh OK much more serious issues, again not new. 

Chrysler knew you could remotely hack their cars in 2009.... none one else had found the bug so they kept it quiet for 5 years, then some white hat hackers found it and turned it off driving down the motorway, the USAs NTSB mandated it gets fixed https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

BMW opened up their cars software 2 years ago to white hack hackers... with in a few weeks they found 40 security flaws (although the article says 14)… BMW set up an industry award to say thanks https://www.autoexpress.co.uk/car-news/103576/bmw-hackers-rewarded-for-flagging-security-flaws

with ADAS and the ability to steer a car remotely and affect the use of its throttle and brakes... this is the next 911 event coming to a motorway near you.  So rather than discrediting Which, we should be thanking them for getting it out there....

Although perhaps you should worry far more that according to an article I read a week ago, Israel does most hardware and software for all self driving cars and the avionics security in the F35 fighter jet.  So if you don't agree with their politics your wife dies in a car crash and your missiles won't work against them, but they might turn round and say hello !!!

You have been living the Matrix movie since you were born.... you just didn't get the right colour pill (or should I say the right pill was kept out of your reach... but the explosion of electronic media is out of control.... or is it ! )

[apt]

I have no interest in discrediting Which?, was just pointing out the misleading byline and the article consisting of no news or old news.

While I understand Which? is aimed at a general readership, articles of this quality do nothing to promote informed consumer choice.