Serious IT vulnerability found in MG's electric car

Most new cars are connected to different servers around the world in order to provide services such as navigation and connection to the owner's mobile phone. Each car also has an IP number which can identify a single car on the internet.

”These ports are used to communicate with different devices”, says Afruz Bakhshiyeva, a student at Royal Institute of Technology (KTH) in Stockholm. In cooperation with Vi Bilägare, she and fellow student Gabriel Berefelt have performed an IT security audit of different cars.

Our tests reveal that popular electric car MG Marvel R, owned by Chinese manufacturing giant SAIC which in turn is state-owned, has a serious IT security flaw. Six of the ports, which are used to send and receive data over the internet, are wide-open when they in fact should be closed.

MG is by far the worst-performing car in our review. Two other cars were tested – a Tesla Model 3 and a completely disconnected Volvo V90. In both those cars, are ports were either closed or ”filtered”, which means that they are invisible to hackers.

”We have performed the test multiple times and over a period of time to verify the results. The Volvo was manufactured in 2017 and perhaps that is a positive in this case. Everything is closed down”, says Afruz Bakhshiyeva.

An open port doesn't need to be a security issue in itself. However, a hacker can gain access to the car's systems with an open port in order to retrieve information or manipulate the car. If the system is badly designed, it could in theory mean that the hacker can access the electronic control unit used to drive the car.

That is what happened a few years ago when scientists were able to control acceleration, braking and steering through an open port in a Jeep. They could control the car with a laptop from the back seat.

”An open port does not in itself make the car unsafe. But it is a very worrying sign”, says professor Pontus Johnson, responsible for a new IT security research center at KTH.

According to him, the open ports imply that MG has not prioritised IT security during development of the car.

”Most car manufacturers have reviewed and improved these issues by now. That this issue still exists is not good at all. It can be a matter of life and death in a car”, says Pontus Johnson.

Open ports also raise the question if there are more serious vulnerabilities to be found within the car.

”These issues are often a sign of a price squeeze or of rushed development. The company doesn't have the resources or competence to address these issues and are ready to take the risk. It also implies a bad corporate culture which prioritise other matters before security”, says Pontus Johnson.

MG has confirmed that the ports are indeed open, but insist that they only are connected to the internal entertainment system and WiFi network. They should not make it possible for hackers to gain access to acceleration, steering or braking. However, that could not be verified during our testing.

Asmus Eggert, data security officer at MG in Europe, confirms for Vi Bilägare that MG will review the checklist used for software development to make sure that no ports are open if they don't need to be.

”An airplane may have over 100,000 bugs, but should you consider not flying because of these bugs? My point is that there will be bugs, but many of them have very little risk associated with them. You can't make software which is completely safe”, he says.