Skip links

Ford SYNC 3 infotainment systems vulnerable to drive-by Wi-Fi hijacking

Ford has suggested owners of vehicles equipped with its SYNC 3 infotainment system disable the Wi-Fi lest someone nearby exploits a buffer-overflow vulnerability and hijacks the equipment.

According to [PDF] Texas Instruments, maker of the vulnerable Wi-Fi chipset in Ford vehicles, the flaw merits a 9.6 on the 10-point CVSS severity scale at the worst, and an 8.8 at minimum. Successful exploitation requires an attacker to be within wireless range.

Still, Ford wants affected vehicle owners to know that the issue doesn’t make their cars unsafe to drive. “We [immediately] began developing and validating measures to address the vulnerability,” Ford said.

“To date, we’ve seen no evidence that this vulnerability has been exploited, which would likely require significant expertise … [and] would not affect the safety of vehicle occupants, since the infotainment system is firewalled from controls like steering, throttling and braking,” the Detroit automaker added. 

The issue lies in TI’s WiLink WL18xx series Wi-Fi MCPs, the firmware of which doesn’t limit the number of some information elements that can be parsed in a management frame. “Using a specially crafted frame, a buffer overflow can be triggered that can potentially lead to remote code execution,” TI said. 

The vulnerability could be triggered by anyone within Wi-Fi range, TI added.

Ford said it’s working on a patch users can download and install via USB, although there was no mention of a timeline for the release of the manual patch or an eventual over-the-air update.

A Ford spokesman told The Reg that once the software update becomes available, if customers chose to connect the SYNC 3 Wi-Fi functionality to a network (such as a home Wi-Fi system), they could receive this update via OTA delivery. He added: “As the disclosure states, the software patch will be available soon as we are in the final phase of testing and validating it before making it available to customers.”

While waiting for the patch, Ford says concerned owners of affected vehicles can turn Wi-Fi functionality off in SYNC 3’s Settings menu to avoid exploitation.

SYNC 3 shipped with at least model year 2021 and 2022 vehicles, including the Ford Escape, Explorer, Mustang, Transit, and Super Duty. Those unsure if they have SYNC 3 can find out here.

It’s not clear what other devices Texas Instruments WL18xx series chips may be used in for automotive applications or otherwise. In its documentation for the vulnerability, TI doesn’t mention plans for its own patch to address the issue. Instead, TI recommends sticking a new line of code into one of the driver files to limit the number of elements that can be parsed before it throws an error.

The Register didn’t immediately hear back from Texas Instruments. ®