Ford Addresses Buffer Overflow Vulnerability in SYNC3 Infotainment System
Ford Reassures Customers the Vulnerable Models Are Drive Safe
Ford Motor Company has issued a warning about a potential buffer overflow vulnerability in its SYNC3 infotainment system.
The SYNC3 vulnerability, found in many Ford and Lincoln vehicle models, could theoretically allow remote code execution, although the automaker has stressed that vehicle driving safety is not affected.
SYNC3 is a state-of-the-art infotainment system that facilitates in-vehicle WiFi hotspots, phone connectivity, voice commands, third-party applications, and more. The vulnerability impacts several popular Ford models, including the EcoSport, Escape, Bronco Sport, Explorer, and Mustang, among others.
The vulnerability, identified as CVE-2023-29468, is located in the WL18xx MCPdriver for the WiFi subsystem integrated into the car's infotainment system. An attacker within the WiFi range could potentially trigger a buffer overflow by using a specially crafted frame. This flaw allows an attacker to overwrite the memory of the host processor executing the MCP driver, according to the system vendor's security bulletin.
Upon being informed by the supplier about the discovery of this WiFi flaw, Ford took immediate action to authenticate the vulnerability, assess its impact, and devise mitigation strategies.
In response to the situation, Ford plans to release a software patch that customers can download and install via a USB stick. According to the announcement on Ford's media portal, this patch will be available soon. In the meantime, customers concerned about the vulnerability have the option to turn off the WiFi functionality through the SYNC3 infotainment system's settings menu.
To alleviate any additional worries, the American automotive giant has emphasized that exploiting the flaw is far from straightforward.
Even if an individual actor were to successfully leverage this vulnerability, Ford assures that it would not threaten the safety of vehicle occupants. The company clarified that the infotainment system is segregated from critical controls such as steering, throttling, and braking, thereby preventing any direct risk to driving safety.
Ford Media highlighted that there is "no evidence" of the vulnerability being exploited to date. Exploitation would likely necessitate substantial expertise and proximity to an individual vehicle with its ignition and WiFi settings on.