Ford is warning of a buffer overflow vulnerability in its SYNC3 infotainment system used in many Ford and Lincoln vehicles, which could allow remote code execution, but says that vehicle driving safety isn't impacted.
SYNC3 is a modern infotainment system that supports in-vehicle WiFi hotspots, phone connectivity, voice commands, third-party applications, and more.
The particular system is used in the following car models:
- Ford EcoSport (2021 – 2022)
- Ford Escape (2021 – 2022)
- Ford Bronco Sport (2021 – 2022)
- Ford Explorer (2021 – 2022)
- Ford Maverick (2022)
- Ford Expedition (2021)
- Ford Ranger (2022)
- Ford Transit Connect (2021 – 2022)
- Ford Super Duty (2021 – 2022)
- Ford Transit (2021 – 2022)
- Ford Mustang (2021 – 2022)
- Ford Transit CC-CA (2022)
Nearby attackers
The vulnerability is tracked as CVE-2023-29468 and is in the WL18xx MCP driver for the WiFi subsystem incorporated in the car's infotainment system, which allows an attacker in WiFi range to trigger buffer overflow using a specially crafted frame.
"An attacker within wireless range of a potentially vulnerable device can gain the ability to overwrite memory of the host processor executing the MCP driver," reads the system vendor's security bulletin.
Ford was informed by the supplier about the discovery of the WiFi flaw and took immediate action to validate it, estimate the impact, and develop mitigation measures.
In a statement released on Ford's media portal, the carmaker promises to make a software patch available soon, which customers will be able to load on a USB stick and install on their vehicles.
"Soon, Ford will issue a software patch online for download and installation via USB," reads Ford's announcement.
"In the interim, customers who are concerned about the vulnerability can simply turn off the WiFi functionality through the SYNC 3 infotainment system's Settings menu."
To further appease any concerns, the American carmaker has also stated that the flaw isn't easy to exploit, and even in that unlikely scenario, it wouldn't put the safety of targeted vehicles at risk.
"To date, we've seen no evidence that this vulnerability has been exploited, which would likely require significant expertise and would also include being physically near an individual vehicle that has its ignition and WiFi setting on," explains Ford.
"Our investigation also found that if this vulnerability was exploited, however unlikely, it would not affect the safety of vehicle occupants, since the infotainment system is firewalled from controls like steering, throttling and braking."
Finally, the company invites any security researchers who have discovered vulnerabilities in its vehicles to submit their reports directly on the company's HackerOne program, through which it has so far resolved nearly 2,500 bugs.
Comments
ZeroYourHero - 1 year ago
Safe, until the hacker turns the volume all the way up, maxes out the bass boost and blasts the driver with a sudden extremely load noise?
h_b_s - 1 year ago
Sometimes "what could happen" is less important than "what's likely to happen". Sure, someone could probably come up with an exploit chain to do so before Ford issues a fix. The added benefit is that such an attack would be difficult to trace to an origin, especially in a big city. However, the likelihood of it happening isn't high nor is your suggested attack necessarily always going to cause an accident. Ford is correct that it won't likely affect the vehicle's controls so safety isn't a high issue. You're also correct in that it's a narrow definition, but you're wrong as far as what Ford has to legally consider a safety issue under highway safety regulations which primarily has to do with control and visibility surfaces, not how loud the vehicle stereo is.
Somerly - 1 year ago
Bill, where did you find your information on vehicles affected? Sync 3 is in both Ford and Lincoln vehicles from 2015 up through today. Just with Ford Rangers alone, the 2019s through 2023s all share the exact same version of Sync 3, Sync 3.4. My 2016 F 150 and 2019 Explorer use the older Sync 3 3.0 software, but they still share the exact same WiFi subsystems as my 2023 Ranger with Sync 3.4. There are a whole lot more vulnerable Ford AND Lincoln vehicles than your article is suggesting, and as of yet I've seen nothing limiting it to just that specific subset of Ford's. Their warning applies to ALL Ford Lincoln vehicles with the Sync 3 system. Regards
h_b_s - 1 year ago
Technically it's not SYNC that has the problem. It's the result of SYNC 3 using a proprietary driver and development package for WIFI that has the problem. There's likely more than just Ford SYNC 3.x vehicles that have this vulnerable driver in them. TI's development package's stated use cases are several different OSes including QNX, WinCE, Linux incl. Android, uITRON, and FreeRTOS all of which are popular embedded OSes in everything from cameras to motor vehicles.
https://www.ti.com/tool/WILINK8-WIFI-MCP8
Which pretty much goes to show why it's a bad idea to shove wireless communications into devices where safety or physical security is a factor.
scpcguy - 1 year ago
Many police vehicles in the USA are produced by Ford, running SYNC and routinely marked/nearby with the ignition and WiFi setting on. Seems like law enforcement agencies will want to be aware of the vulnerability.