Ford has addressed a critical vulnerability in the TI Wi-Fi driver of its SYNC 3 infotainment system, clarifying that it does not pose a safety risk to specific vehicle models. This vulnerability, identified as CVE-2023-29468, affects the Texas Instruments-supplied Wi-Fi driver utilized in the infotainment system of several Ford and Lincoln vehicles. The flaw is characterized as a buffer overflow, potentially leading to remote code execution, which could be triggered by an attacker within wireless range using a specially crafted frame.
While the CVSS score for the vulnerability varies between 8.8 and 9.6 depending on the impact on confidentiality and integrity, Ford has emphasized that it has found no evidence of any exploitation thus far. The company collaboratively worked with the chip maker, TI, to develop and validate measures aimed at mitigating the vulnerability. Importantly, Ford asserts that even if exploited, the flaw does not endanger the safety of vehicle occupants, as the infotainment system remains segregated from essential controls like steering and braking.
To address the issue, Ford plans to release a software patch that can be downloaded and installed via the USB ports of affected vehicles. As an interim solution, the company suggests turning off Wi-Fi functionality through the SYNC 3 infotainment system’s Settings menu. Ford also assures customers that they can verify if their vehicles are equipped with SYNC 3 online. The SYNC 3 infotainment system is featured in a range of Ford models, including the Mustang, Super Duty, Transit, Transit Connect, Bronco Sport, Expedition, Explorer, Escape, EcoSport, Maverick, and Ranger, spanning the years 2021 and 2022.
