A lack of “meaningful regulation” for on-board tech in the motor industry allows manufacturers to be careless of security, a campaign group has claimed.

Which? along with cyber-security experts Context Information Security examined the computer systems behind the Ford Focus Titanium Automatic 1.0L petrol and a Volkswagen Polo SEL TSI Manual 1.0L petrol.

They were able to hack the Infotainment unit in the Polo which records personal data such as phone contacts and location history. Also, simply lifting the VW badge on the bonnet gave access to the front radar module allowing someone to tamper with the collision-warning system.

The experts were also able to intercept messages sent by the tyre pressure monitoring system on the Ford Focus, making it possible that someone could trick the system to display that flat tyres were fully-inflated and vice versa.

Coding also included wifi details and a password that appeared to be for the computer systems on Ford’s production line.

While the investigation looked at two of the best-sellers on the market, there are concerns that these issues could be widespread throughout the motoring industry.

Further, it reveals just how much data cars are generating about their owners and how the information is being stored, shared and used.

For instance, the Ford Pass app means the vehicle’s location and travel direction can be shared at any time, as well as data from the car’s sensors, including warning lights, fluid levels and fuel consumption.

Ford even tracks ‘driving characteristics’, such as speed, acceleration, braking and steering. Its privacy policy states that it can share this information with its ‘authorised dealers and affiliates’.

The VW app, We Connect, requested a wide range of permissions, including access to ‘confidential information’ in people’s calendar and the contents of USB storage. Its privacy policy states that VW collects data when you use the app – but that it only shares it with third parties when it’s ‘necessary for the purpose of performing a contractual obligation’.

‘Drivers’ safety and personal data at risk’

Lisa Barber, editor of Which? magazine, said: “Most cars now contain powerful computer systems, yet a glaring lack of regulation of these systems means they could be left wide open to attack by hackers – putting drivers’ safety and personal data at risk.

“The government should be working to ensure that appropriate security is built into the design of cars and put an end to a deeply flawed system of manufacturers marking their own homework on tech security.”

Ford declined to receive Which?’s technical report and declined to comment on its findings. However, it added that customer data is used for ‘valued connected services’, such as live traffic, in accordance with published policy and takes cybersecurity seriously by “consistently working to mitigate the risk”.

Volkswagen engaged positively with the campaign group since the findings were shared. It said it is not possible to influence other critical control units unnoticed and that it only processes customer data based on consent. It would also consider reducing the more extensive information available via its Infotainment data.

Top tips to secure your car’s data

Whether you’re buying a second hand car or renting one out, here are top tips from Which? to secure your data:

Wipe your data

If you’re selling your connected car and don’t want to leave your data exposed, go to your car’s infotainment unit and look in the settings menu for controls to erase your account and data. It’s a bit like restoring a phone to factory settings. Check your manual if you can’t find it easily on the unit itself. When you drive it to the dealer, don’t reconnect your smartphone to the car, as otherwise you’ll leave trace information that hasn’t been deleted.

Revoke access

Deleting the car’s app from your phone won’t be enough to remove your access. You need to break the link between you and the vehicle. Again, you’ll need physical access to the infotainment system in order to trigger the master reset key. Follow the instructions on the unit or check the manual to ensure your access is completely revoked before you sell it to the new owner.

Buying a used car

Just as you think about mileage, service history and state of repair when buying a used car, you should also think about data. When buying a car second-hand from a dealer or private seller, ask for evidence that all data has been removed and access rights revoked. Then you won’t have to worry that the previous owner can still track, unlock or even drive away with your new car.

Renting, leasing and car clubs

Chances are that you have plugged in your phone in a rental and seen data on people who’ve used it. So be wary of connecting your phone to a rental or a vehicle from a car club. It’s better to just use the infotainment unit, or solely rely on your smartphone.