Photo: Bogdan Popa/autoevolution/Ford
A security vulnerability in the Wi-Fi driver used by Ford in the SYNC 3 infotainment system can allow an attacker to trigger buffer overflow if they are close to the vehicle.
The vulnerability is documented in security bulletin CVE-2023-29468, with Ford saying that it was detected by a security researcher who reported it to the supplier in charge of shipping Wi-Fi modules.
Texas Instruments explains in a security advisory that the flaw resides in the TI WiLink WL18xx MCP driver. A malicious actor could use a specially crafted frame to trigger a buffer overflow and launch a remote code execution attack.
The vulnerability seems frightening for Ford customers whose cars come with SYNC 3, but the American carmaker says it's not aware of any exploits so far. Furthermore, the company explains that attackers can't run an exploit unless they are physically near an exposed vehicle. A successful attack requires the engine to be turned on and the Wi-Fi support enabled.
Ford says the likelihood of an attacker exploiting the vulnerability is extremely low, mainly because it requires "significant expertise" to do it. In other words, only experienced hackers can break into SYNC 3 systems using this security flaw. Ford doesn't see this happening, mainly because the attackers must be near the vehicle when the engine is running.
The carmaker conducted an investigation and determined that even if someone breaks into the SYNC 3 system with this vulnerability, they still won't produce much damage, as the vehicle infotainment system is isolated from critical controls like steering, throttling, and braking. The safety of the vehicle occupants wouldn't be affected, Ford explains.
The carmaker is already working on a patch, but an ETA wasn't shared when it could become available for download. However, Ford says customers can install it manually by copying the patch on a USB flash drive.
Fortunately, the carmaker has also found an easy way to remain protected until the patch goes live. Ford explains that simply disabling the Wi-Fi support in the SYNC 3 infotainment system blocks any potential exploit, as this is one of the prerequisites for a malicious actor to launch an attack. If Wi-Fi is disabled, the malicious actor can't infiltrate the SYNC system.
The carmaker says the vulnerability exists in all Ford and Lincoln models that rolled off the assembly lines with the SYNC 3 installed, including the 2021 and 2022 Mustang, the 2021 and 2022 Bronco Sport, and the 2021 Expedition. Ford recommends customers check the version of their SYNC system to determine if their vehicles are vulnerable to this attack.
The company will release additional guidance once the patch becomes available (likely in the coming weeks), including complete instructions on deploying it in a vulnerable vehicle.
Texas Instruments explains in a security advisory that the flaw resides in the TI WiLink WL18xx MCP driver. A malicious actor could use a specially crafted frame to trigger a buffer overflow and launch a remote code execution attack.
The vulnerability seems frightening for Ford customers whose cars come with SYNC 3, but the American carmaker says it's not aware of any exploits so far. Furthermore, the company explains that attackers can't run an exploit unless they are physically near an exposed vehicle. A successful attack requires the engine to be turned on and the Wi-Fi support enabled.
Ford says the likelihood of an attacker exploiting the vulnerability is extremely low, mainly because it requires "significant expertise" to do it. In other words, only experienced hackers can break into SYNC 3 systems using this security flaw. Ford doesn't see this happening, mainly because the attackers must be near the vehicle when the engine is running.
The carmaker conducted an investigation and determined that even if someone breaks into the SYNC 3 system with this vulnerability, they still won't produce much damage, as the vehicle infotainment system is isolated from critical controls like steering, throttling, and braking. The safety of the vehicle occupants wouldn't be affected, Ford explains.
The carmaker is already working on a patch, but an ETA wasn't shared when it could become available for download. However, Ford says customers can install it manually by copying the patch on a USB flash drive.
Fortunately, the carmaker has also found an easy way to remain protected until the patch goes live. Ford explains that simply disabling the Wi-Fi support in the SYNC 3 infotainment system blocks any potential exploit, as this is one of the prerequisites for a malicious actor to launch an attack. If Wi-Fi is disabled, the malicious actor can't infiltrate the SYNC system.
The carmaker says the vulnerability exists in all Ford and Lincoln models that rolled off the assembly lines with the SYNC 3 installed, including the 2021 and 2022 Mustang, the 2021 and 2022 Bronco Sport, and the 2021 Expedition. Ford recommends customers check the version of their SYNC system to determine if their vehicles are vulnerable to this attack.
The company will release additional guidance once the patch becomes available (likely in the coming weeks), including complete instructions on deploying it in a vulnerable vehicle.
Google News