Nästa artikel
Serious IT vulnerability found in MG's electric car

Serious IT vulnerability found in MG's electric car

Publicerad 2022-11-22 15:25
A serious IT security vulnerability has been revealed in an electric car manufactured by Chinese-owned carmaker MG.

Most new cars are connected to different servers around the world in order to provide services such as navigation and connection to the owner's mobile phone. Each car also has an IP number which can identify a single car on the internet.

”These ports are used to communicate with different devices”, says Afruz Bakhshiyeva, a student at Royal Institute of Technology (KTH) in Stockholm. In cooperation with Vi Bilägare, she and fellow student Gabriel Berefelt have performed an IT security audit of different cars.

Our tests reveal that popular electric car MG Marvel R, owned by Chinese manufacturing giant SAIC which in turn is state-owned, has a serious IT security flaw. Six of the ports, which are used to send and receive data over the internet, are wide-open when they in fact should be closed.

MG is by far the worst-performing car in our review. Two other cars were tested – a Tesla Model 3 and a completely disconnected Volvo V90. In both those cars, are ports were either closed or ”filtered”, which means that they are invisible to hackers.

”We have performed the test multiple times and over a period of time to verify the results. The Volvo was manufactured in 2017 and perhaps that is a positive in this case. Everything is closed down”, says Afruz Bakhshiyeva.

”An open port is a very worrying sign”, says professor Pontus Johnson, responsible for a new IT security research center at KTH.

An open port doesn't need to be a security issue in itself. However, a hacker can gain access to the car's systems with an open port in order to retrieve information or manipulate the car. If the system is badly designed, it could in theory mean that the hacker can access the electronic control unit used to drive the car.

That is what happened a few years ago when scientists were able to control acceleration, braking and steering through an open port in a Jeep. They could control the car with a laptop from the back seat.

”An open port does not in itself make the car unsafe. But it is a very worrying sign”, says professor Pontus Johnson, responsible for a new IT security research center at KTH.

According to him, the open ports imply that MG has not prioritised IT security during development of the car.

”Most car manufacturers have reviewed and improved these issues by now. That this issue still exists is not good at all. It can be a matter of life and death in a car”, says Pontus Johnson.

”These ports are used to communicate with different devices”, says Afruz Bakhshiyeva, one of the IT security students at Royal Institute of Technology (KTH) who performed the tests in cooperation with Vi Bilägare.

Open ports also raise the question if there are more serious vulnerabilities to be found within the car.

”These issues are often a sign of a price squeeze or of rushed development. The company doesn't have the resources or competence to address these issues and are ready to take the risk. It also implies a bad corporate culture which prioritise other matters before security”, says Pontus Johnson.

MG has confirmed that the ports are indeed open, but insist that they only are connected to the internal entertainment system and WiFi network. They should not make it possible for hackers to gain access to acceleration, steering or braking. However, that could not be verified during our testing.

Asmus Eggert, data security officer at MG in Europe, confirms for Vi Bilägare that MG will review the checklist used for software development to make sure that no ports are open if they don't need to be.

”An airplane may have over 100,000 bugs, but should you consider not flying because of these bugs? My point is that there will be bugs, but many of them have very little risk associated with them. You can't make software which is completely safe”, he says.

The ports will be closed

The ports are to be closed in a future software update. However, this update will not be performed ”over-the-air”, but in a physical workshop, and it will not be mandatory.

”I want to point out that not only the physical safety is important for our customers but also digital safety. If there is anything we could improve in order for our customers to feel safer, we will react and make an effort to solve that. We take safety seriously and that is important for us. We want to be transparent”, says Marc Hecht, spokesperson for MG Europe.

Ämnen i artikeln

Missa inget från Vi Bilägare

Genom att anmäla dig godkänner du OK-förlagets personuppgiftspolicy.