Ford is warning of a buffer overflow vulnerability in its SYNC3 infotainment system used in many Ford and Lincoln vehicles, which could allow remote code execution, but says that vehicle driving safety isn’t impacted.
SYNC3 is a modern infotainment system that supports in-vehicle WiFi hotspots, phone connectivity, voice commands, third-party applications, and more.
The particular system is used in the following car models:
- Ford EcoSport (2021 – 2022)
- Ford Escape (2021 – 2022)
- Ford Bronco Sport (2021 – 2022)
- Ford Explorer (2021 – 2022)
- Ford Maverick (2022)
- Ford Expedition (2021)
- Ford Ranger (2022)
- Ford Transit Connect (2021 – 2022)
- Ford Super Duty (2021 – 2022)
- Ford Transit (2021 – 2022)
- Ford Mustang (2021 – 2022)
- Ford Transit CC-CA (2022)
The vulnerability is tracked as CVE-2023-29468 and is in the WL18xx MCP driver for the WiFi subsystem incorporated in the car’s infotainment system, which allows an attacker in WiFi range to trigger buffer overflow using a specially crafted frame.
“An attacker within wireless range of a potentially vulnerable device can gain the ability to overwrite memory of the host processor executing the MCP driver,” reads the system vendor’s security bulletin.
Ford was informed by the supplier about the discovery of the WiFi flaw and took immediate action to validate it, estimate the impact, and develop mitigation measures.
In a statement released on Ford’s media portal, the carmaker promises to make a software patch available soon, which customers will be able to load on a USB stick and install on their vehicles.
“Soon, Ford will issue a software patch online for download and installation via USB,” reads Ford’s announcement.
“In the interim, customers who are concerned about the vulnerability can simply turn off the WiFi functionality through the SYNC 3 infotainment system’s Settings menu.”
To further appease any concerns, the American carmaker has also stated that the flaw isn’t easy to exploit, and even in that unlikely scenario, it wouldn’t put the safety of targeted vehicles at risk.
“To date, we’ve seen no evidence that this vulnerability has been exploited, which would likely require significant expertise and would also include being physically near an individual vehicle that has its ignition and WiFi setting on,” explains Ford.
“Our investigation also found that if this vulnerability was exploited, however unlikely, it would not affect the safety of vehicle occupants, since the infotainment system is firewalled from controls like steering, throttling and braking.”
Finally, the company invites any security researchers who have discovered vulnerabilities in its vehicles to submit their reports directly on the company’s HackerOne program, through which it has so far resolved nearly 2,500 bugs.