Ford "Quietly" Provides Sync 3 Security Vulnerability Warning

[RedDakooter05]

Boy I sure do miss the days of radios that that just worked.

Sponsored

 

[Alaska Wolf]

Retired AFSOC

ADC, ESC, SAC, AFIO

 

[Alaska Wolf]

I just installed the map update, it restarted once then said it was updating again. When all was done the message told me I had a sync update so I checked and I still have the same version of sync, but the screen boots up much faster then it did before the update. Maps is the new version.

That's apparently one of the less serious bugs people are encountering. If Cyan Labs is warning people off that version, I'll wait until they can push an official version that works out the door. :\

 

[Alaska Wolf]

Boy I sure do miss the days of radios that that just worked.

Wait! Where's the 8 track????

 

[Motorpsychology]

Boy I sure do miss the days of radios that that just worked.

 

[MaxE731]

I did a little time (thankfully) with SAC...416th FMS Griffiss AFB

I did 2 years with the 449th AMS at Kincheloe AFB, Michigan before I went to F4s in Germany. ??

 

[ControlNode]

I wonder if there was a hardware change due to supply issues for the chips they were using that is causing the issue only on newer APIMs. I noticed the years were only the most recent, even though the models listed have been made more years than the notice included. That could explain a couple things, 1) why the wifi issue is only listing new models, perhaps there was a different chipset in the older radios. 2) Some driver was missing for the newer hardware chipset in the 22251 update resulting in the bricked state. I doubt Ford will give full details though, they almost never to.

 

[RDJTX]

Found this today entirely by accident. "Ford learned from a supplier that a security researcher discovered a vulnerability in the Wi-Fi software driver supplied for use in the SYNC 3 infotainment system available on some Ford and Lincoln vehicles. Immediately, and in collaboration with them, we began developing and validating measures to address the vulnerability."

No idea how far back this goes, but I'm guessing that ALL Sync 3 vehicles including vehicles still on 3.0 are vulnerable.  While they say it would not affect the safety of vehicle occupants, since the infotainment system is firewalled from controls like steering, throttling and braking, there obviously seems to be a reason for concern as they want us to turn off WiFi functionality.

https://media.ford.com/content/ford...uidance-in-response-to-supplier-disclosu.html

There is a reason I never turned WiFi on in my truck..

My Father spent a number of years in SAC. We spent 6 years on Vandenburg AFB, the went to Hawaii when he went into the OSI

 

[Alaska Wolf]

I wonder if there was a hardware change due to supply issues for the chips they were using that is causing the issue only on newer APIMs. I noticed the years were only the most recent, even though the models listed have been made more years than the notice included. That could explain a couple things, 1) why the wifi issue is only listing new models, perhaps there was a different chipset in the older radios. 2) Some driver was missing for the newer hardware chipset in the 22251 update resulting in the bricked state. I doubt Ford will give full details though, they almost never to.

John, its apparently a Texas Instrument driver problem, not a hardware issue. "Tracked as CVE-2023-29468, the bug impacts the Texas Instruments-supplied Wi-Fi driver used in the infotainment system of at least a dozen vehicles." And the author in Bleeping Computers didn't get it entirely right when he listed vehicles as it affects all Ford AND Lincoln vehicles with Sync 3, whether its a 2016 Lincoln vehicle running Sync 3.0 or a 2023 Ford running Sync 3.4. They all use that same TI driver. His point later on is that many other types of systems (buildings, ships, aircraft, etc.) could all be impacted by TI's WiFi driver vulnerability, as apparently its in fairly widespread use, a point on which he could very well be correct. Ford could very well be just the proverbial tip of the iceberg.

 

[Alaska Wolf]

We spent 6 years on Vandenburg AFB

Vandyland, one of the best kept secrets in the AF.

 

[Grandaccess]

Found this today entirely by accident. "Ford learned from a supplier that a security researcher discovered a vulnerability in the Wi-Fi software driver supplied for use in the SYNC 3 infotainment system available on some Ford and Lincoln vehicles. Immediately, and in collaboration with them, we began developing and validating measures to address the vulnerability."

No idea how far back this goes, but I'm guessing that ALL Sync 3 vehicles including vehicles still on 3.0 are vulnerable.  While they say it would not affect the safety of vehicle occupants, since the infotainment system is firewalled from controls like steering, throttling and braking, there obviously seems to be a reason for concern as they want us to turn off WiFi functionality.

https://media.ford.com/content/ford...uidance-in-response-to-supplier-disclosu.html

since its fire walled from the important stuff, they can break in and change my station while I am listening to a really good song?
dirty rotten no good hackers LOL I am sure they will push a new driver Long before it becomes an issue

 

[ControlNode]

John, its apparently a Texas Instrument driver problem, not a hardware issue. "Tracked as CVE-2023-29468, the bug impacts the Texas Instruments-supplied Wi-Fi driver used in the infotainment system of at least a dozen vehicles." And the author in Bleeping Computers didn't get it entirely right when he listed vehicles as it affects all Ford AND Lincoln vehicles with Sync 3, whether its a 2016 Lincoln vehicle running Sync 3.0 or a 2023 Ford running Sync 3.4. They all use that same TI driver. His point later on is that many other types of systems (buildings, ships, aircraft, etc.) could all be impacted by TI's WiFi driver vulnerability, as apparently its in fairly widespread use, a point on which he could very well be correct. Ford could very well be just the proverbial tip of the iceberg.

I was not saying it's a hardware issue, just that there could have been a silent hardware change due to availability of chips. perhaps someone forgot the driver for the chip in the newer system in the updated software package. I would have to think there is some difference between the 2021 I have and the 2022-2023 since mine still shows 55521 as an update while the newer Rangers do not.

It could be possible that 55521 doesn't not handle the absence of the Wi-Fi hotspot well and gets hung up attempting to load its drivers when the device is not present. And, since mine still has that hardware, they still allow the update.

 

[LvRob]

since its fire walled from the important stuff, they can break in and change my station while I am listening to a really good song?
dirty rotten no good hackers LOL I am sure they will push a new driver Long before it becomes an issue

I am a professional in the embedded security world, over 25 years of experience designing, developing, testing, and supporting device drivers on embedded computer boards.
I am looking at the reported CVE currently, since I do this on a weekly basis for the products I manage anyhow.
"Can an attacker <fill in the blank>..." can never be fully 100 percent answered with certainty. Using a firewall that ideally has layers of software protection means it is very difficult and perhaps impossible to move from one computer system (infotainment) to another (automotive controls). That's how to properly design an automotive system.

 

[LvRob]

See my note above on my background in the embedded security world.

I reviewed the security advisory from Ford and the corresponding one from Texas Instruments who is the supplier of the part and the device driver software. From my professional perspective this is a minor problem limited to the following facts: 1. You vehicle must be connected to your WiFi (probably at home) 2. An attacker has already penetrated and is actively operating inside your home computer network 3. attacker knows about the vulnerability in your vehicle WiFi. 4. attacker has created an exploit against the WiFi driver in your vehicle 5. successful attacker can take over control of the embedded computer board that is managing the WiFi, meaning your vehicle infotainment system. That is a long list of successful steps in an attack chain all to get access to a vehicle infotainment system while parked at home. MITIGATION: I agree with Ford, disable WiFi access to your home network in your vehicle infotainment system if you are concerned about this. OR verify that your vehicle can only connect to your home WiFi and no other WiFi devices. I also see that because there is no exploit against this device driver that this is NOT a critical issue at all.

 

[Alaska Wolf]

I also see that because there is no exploit against this device driver that this is NOT a critical issue at all.

As retired AF/DoD cybersecurity professional that helped develop the original NIST SP 800-171 standards, I find your remarks to be more than a little presumptive. You are declaring this to be NOT a critical issue at all in your "professional opinion". Personally, I would never presume to make that determination without access to all relevant data. So I'm "assuming" that your have ALL of the relevant information pertaining to this issue, even though this is still in the most preliminary stages of investigation?

Now, we all know Ford is going to downplay any potentially serious issue, that's a given; and something way too many people in these forums have had first hand experience with, so anything they have to say is best taken with a grain of salt. And Hyundai, Kia, and Genesis all downplayed their vulnerabilities, until an active exploit was developed and posted on TikTok; that didn't turn out well.

Now, as TI itself has declared in its CVE-2023-29468 PSIRT Notification; Buffer Overflow in WL18xx MCP Driver Summary, that "the TI WiLink WL18xx MCP driver does not limit the number of information elements (IEs) that can be parsed in a management frame. Using a specially crafted frame, a buffer overflow can be triggered that can potentially lead to remote code execution." Oops, Texas Instrument said that bad thing "remote code execution". Notice there is nothing said except they have identified a viable buffer flow exploit? Exactly what kind of "remote code execution" are we talking here? Doesn't sound like taking over people's home networks is involved though.

Texas Instruments then assigned a Common Vulnerability Scoring System base score for this issue with a range from 8.8 to 9.6. In their remarks, they ascertain the higher base score reflects a Confidentiality and Integrity impact of High.

CVSS vector • High Score (9.6): CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Now, I don't know about the embedded security world, but I personally would find a CVSS 9.6 to be rather concerning, as that does in fact put the vulnerability into the Critical range. Texas Instruments certainly didn't seen confident in classifying CVE-2023-29468 as being "minor", and I think we can agree that they darned well would have, if they could have. The fact that TI rated the scopes Confidentiality, Integrity and Availability all as High, and Attack Complexity as Low does suggest the CVSS of 9.6 may well be an accurate assessment. The Access rated at Local just means an attacker may only need to be in the vicinity of the vehicle, as was the case with Hyundai, Genesis, and Kia. But again, I don't have enough information to formulate an informed opinion.

And as the National Vulnerability Database still shows the vulnerability analysis as "Pending", and there are still too many unknowns, I would think that any professional would wait before before offering their own "professional opinion". This could very well in fact turn out to be nothing, or there may well be a reason Texas Instrument assigned such a high CSS score based on information we do not have. And that is my personal opinion.

Sponsored