Ford has issued a statement confirming that some of its
Mustang sports cars and several other vehicles have a Wi-Fi vulnerability that could theoretically allow a hacker to launch a remote code execution attack. However, Ford is ensuring owners of affected vehicles that the security flaw doesn't present a safety risk to the driver or any passengers.
The flaw exists within a Texas Instruments MCP driver (WL18xx) used in vehicles that rolled off the assembly line with Ford's
SYNC 3 infotainment system. Using a specially crafted frame, an attacker could trigger a buffer overflow.
It's being tracked as CVE-2023-29468 with a CVSS base score range of 8.8 to 9.6.
"The higher base score reflects a Confidentiality
and Integrity impact of High. However, some systems can have a Confidentiality or Integrity Impact of Low
depending on the characteristics of the host processor executing the WL18xx MCP driver and whether the
disclosure or modification of the memory that can be accessed represents a direct or serious loss," Texas Instruments states in a security bulletin (PDF).
Should you worry? Ford says it has not seen any evidence that the Wi-Fi vulnerability has actually been exploited. The automaker further states that exploiting the vulnerability is not easy to pull off, noting that it would "likely require significant expertise." In addition, a hacker would need to be physically near the affected vehicle, which in turn would need to both be running and have Wi-Fi functionality enabled.
"Our investigation also found that if this vulnerability was exploited, however unlikely, it would not affect the safety of vehicle occupants, since the infotainment system is firewalled from controls like steering, throttling and braking," Ford says.
Ford's SYNC 3 system is available on at least a dozen vehicle models, including Bronco Sport, EcoSport, Escape, Expedition, Explorer, Maverick, Mustang, Ranger, Super Duty, Transit, Transit CC-CA, and Transit Connect.
There have been reports that this mostly affects 2021 and 2022 model year cars, though that might not be accurate. Ford made its SYNC 3 software available to several older models as well, including 2015 and newer Mustangs. The flaw exists in the actual Wi-Fi driver and not the vehicle itself, but if older cars use the same Wi-Fi system as newer models, they could potentially be affected as well.
Ford is
planning to release a patch to mitigate the
Wi-Fi flaw (PDF), which will be available to download and install via USB. In the meantime, Ford recommends that anyone worried about this can turn off Wi-Fi functionality through the Settings menu on their SYNC 3 system.