Focusing on source code security, gathering the latest news from home and abroad!
Compiled by: Code Guardian
SYNC3 is an infotainment system that supports in-car Wi-Fi hotspots, phone connectivity, voice commands, and third-party applications. This system is used in the following models:
-
Ford EcoSport (2021 – 2022)
-
Ford Escape (2021 – 2022)
-
Ford Bronco Sport (2021 – 2022)
-
Ford Explorer (2021 – 2022)
-
Ford Maverick (2022)
-
Ford Expedition (2021)
-
Ford Ranger (2022)
-
Ford Transit Connect (2021 – 2022)
-
Ford Super Duty (2021 – 2022)
-
Ford Transit (2021 – 2022)
-
Ford Mustang (2021 – 2022)
-
Ford Transit CC-CA (2022)
The vulnerability is identified as CVE-2023-29468, located in the WL18xx MCP driver integrated into the in-vehicle entertainment system’s Wi-Fi subsystem, which could allow attackers within Wi-Fi range to trigger the buffer overflow vulnerability through specially crafted frames.
Ford issued a security bulletin stating, “Attackers within the wireless range of vulnerable devices could overwrite the host processor memory executing the MCP driver.” After discovering the Wi-Fi flaw, Ford immediately took steps to validate, predict impacts, and develop mitigations. Ford stated in a media portal that a software update will soon be released, which users can load onto a USB and install in their vehicles. “Soon, Ford will release an online software patch for users to download and install via USB. For now, concerned customers can disable the Wi-Fi function through the settings menu of the SYNC 3 in-vehicle entertainment system.”
To alleviate customer concerns, Ford also noted that exploiting this vulnerability is not easy; however, even in such unlikely scenarios, it would not put the safety of the targeted vehicle at risk. Ford explained, “So far, no evidence has been found of exploitation of the vulnerability, and exploiting it requires deep expertise and physical proximity to an activated vehicle with Wi-Fi enabled. Investigations have also found that even if it may not occur, if the vulnerability were exploited, it would not affect the safety of vehicle occupants because the in-vehicle entertainment system is protected by firewall controls.”
Finally, Ford encourages security researchers who discover vulnerabilities in vehicles to submit reports directly through the company’s HackerOne platform, through which the company has fixed nearly 2,500 bugs to date.
Qihoo 360 selected as a representative vendor in the global “Static Application Security Testing Landscape”
Qihoo 360 selected as a representative vendor in the global “Software Component Analysis Landscape”
For five years, data from top global companies such as Netflix and Ford exposed due to Amazon S3 storage bucket leaks
Supplier contractors become the Achilles’ heel of automakers, with confidential information from Ford, GM, and Toyota leaked
TCU defects could lead to remote intrusion of vehicles, affecting BMW, Ford, and Nissan
Automotive security is just the tip of the iceberg: Ford recalls over 400,000 vehicles due to software update issues
https://www.bleepingcomputer.com/news/security/ford-says-cars-with-wifi-vulnerability-still-safe-to-drive/
Image source: Pixabay License
This article is compiled by Qihoo 360 and does not represent Qihoo 360’s views. Please indicate the source: “Transferred from Qihoo 360 Code Guardian https://codesafe.qianxin.com”.
Qihoo 360 Code Guardian (codesafe)
The first product line in China focused on software development security.
If you find it good, please click “Read” or “Like“~