Ford warns of a buffer overflow bug in the SYNC3 infotainment system of it’s cars that may let a hacker perform RCE attacks if it’s situated within a suitable range.
After finding this, SYNC3 immediately informed Ford on how to validate the bug, estimate it’s impact and develop mitigation measures. A patch for this is in the works, says Ford, while also assuring that vehicle’s driving safety isn’t impacted even in the worst case scenario.
Wi-Fi Bug in Ford Cars
Ford, a reliable American automobile company, disclosed a medium-severity bug in it’s SYNC3 infotainment system – used in many of it’s latest Ford and Lincoln vehicles. The buffer overflow bug tracked as CVE-2023-29468, is in the WL18xx MCP driver of the infotainment’s WiFi subsystem. Affected models include;
- Ford EcoSport(2021 – 2022)
- Ford Escape(2021 – 2022)
- Ford Bronco Sport(2021 – 2022)
- Ford Explorer(2021 – 2022)
- Ford Maverick(2022)
- Ford Expedition(2021)
- Ford Ranger(2022)
- Ford Transit Connect(2021 – 2022)
- Ford Super Duty(2021 – 2022)
- Ford Transit(2021 – 2022)
- Ford Mustang(2021 – 2022)
- Ford Transit CC-CA(2022)
If exploited, this can allow an attacker in the WiFi range to trigger the buffer overflow using a specially crafted frame. Upon discovering this vulnerability, SYNC3 informed Ford and took immediate action to validate it, estimate the impact and develop mitigation measures.
Ford says a patch for this bug is in the works and it could be installed via USB when available. Furthermore, the company says it found no evidence of this bug’s exploitation in the wild, as it needs significant expertise and the hacker being physically near the targeted vehicle, with it’s ignition and WiFi setting on to take over.
Well, even in the worst case, Ford says, “it would not affect the safety of vehicle occupants, since the infotainment system is firewalled from controls like steering, throttling and braking”. Finally, the company invites security researchers with their bug discoveries to submit reports directly on Ford’s HackerOne program, through which it has resolved nearly 2,500 bugs so far.
Other Trending News:- News
