Ford Motor Company has recently announced that a Wi-Fi software driver vulnerability in its Ford SYNC 3 infotainment system was discovered by a researcher.
According to a Texas Instruments (TI) security advisory, the vulnerability (CVE-2023-29468) affects TI WILINK8-WIFI-MCP8 version 8.5_SP3 and earlier. TI further warned the Wi-Fi driver does not limit the number of information elements (IEs) of type XCC_EXT_1_IE_ID or XCC_EXT_2_IE_ID that can be parsed in a management frame.
As a consequence, a buffer overflow can be triggered via a specially crafted frame, that could then potentially lead to remote code execution.
The CVE is estimated to be in the CVSS score range of 8.8 to 9.6.
Ford statement
“Ford learned from a supplier that a security researcher discovered a vulnerability in the Wi-Fi software driver supplied for use in the SYNC 3 infotainment system available on some Ford and Lincoln vehicles. Immediately, and in collaboration with them, we began developing and validating measures to address the vulnerability,” Ford said in a statement.
“To date, we’ve seen no evidence that this vulnerability has been exploited, which would likely require significant expertise and would also include being physically near an individual vehicle that has its ignition and Wi-Fi setting on. Our investigation also found that if this vulnerability was exploited, however unlikely, it would not affect the safety of vehicle occupants, since the infotainment system is firewalled from controls like steering, throttling and braking,” Ford added.
Moreover, Ford said that customers can temporarily disable Wi-Fi until a patch is made available, which the automaker said should be expected soon.