Ford has warned its customers of buffer overflow vulnerabilities in its system Infotainment Sync 3 used in many vehicles of the automotive giant. This flaw would potentially allow theremote code execution: a big problem on the privacy side but which, on a practical level, would not affect driving in any way.
Sync 3 is a modern infotainment system that supports hotspot Wi-Fi in-vehicle, phone connectivity, voice commands, third-party applications and more.
The system in question is regularly adopted by the following car models:
- Ford EcoSport (2021 – 2022)
- Ford Escape (2021 – 2022)
- Ford Bronco Sport (2021 – 2022)
- Ford Explorer (2021 – 2022)
- Ford Maverick (2022)
- Ford Expedition (2021)
- Ford Ranger (2022)
- Ford Transit Connect (2021 – 2022)
- Ford Super Duty (2021 – 2022)
- Ford Transit (2021 – 2022)
- Ford Mustang (2021 – 2022)
- Ford Transit CC-CA (2022)
The vulnerability in question has been given the name CVE-2023-29468 and, specifically, it involves the driver MCP WL18xx for the Wi-Fi subsystem built into the car’s infotainment system. This allows an attacker within Wi-Fi range to activate theoverflow del buffer.
According to the safety bulletin presented by Ford “An attacker within wireless range of a potentially vulnerable device can gain the ability to overwrite the memory of the host processor running the MCP driver“.
Ford cars and Wi-Fi vulnerabilities: the manufacturer’s reassurances
Once the criticality was discovered, Ford acted promptly, with some measures to estimate the impact, the possible risks and above all the measures to mitigate them.
In a statement released through the official website of Ford, the automaker promises to make a software patch available soon, which customers will be able to upload to a USB stick and install on their vehicles. In the ad, it reads as “Soon, Ford will release an online software patch for download and installation via USB“.
At the same time, however, the company also wanted to reassure drivers “To date, we have seen no evidence that this vulnerability has been exploited, which would likely require considerable expertise and would also include being physically near a single vehicle with the ignition and Wi-Fi setting on“.
In any case, as Ford recalls “In the meantime, customers who are concerned about the vulnerability can simply turn off the Wi-Fi functionality via the Sync 3 infotainment system’s Settings menu.“.