back to article Ford SYNC 3 infotainment vulnerable to drive-by Wi-Fi hijacking

Ford has suggested owners of vehicles equipped with its SYNC 3 infotainment system disable the Wi-Fi lest someone nearby exploits a buffer-overflow vulnerability and hijacks the equipment. According to [PDF] Texas Instruments, maker of the vulnerable Wi-Fi chipset in Ford vehicles, the flaw merits a 9.6 on the 10-point CVSS …

  1. Anonymous Coward
    Terminator

    Buffer Overflow in WL18xx MCP Driver

    Is it possible for these genisuses to design an MMU immune to buffer overflows. No, don't tell me how that's not possible.

    -------

    Suggested Mitigations

    if( rsnIeIdx >= 3

    {

    TRACE(pHandle->hReport, REPORT_SEVERITY_ERROR, "MLME_PARSER: Number of RSN IEs exeeds 3\n");

    return TI_NOK;

    }

    -------

    1. Anonymous Coward
      Anonymous Coward

      Re: Buffer Overflow in WL18xx MCP Driver

      Yeh, bit it's not the MMU and that's also a software solution, which is what is already recommended. If anything, the client code should have something #DEFINEd somewhere like MAX_FRAME_SIZE, but apparently doesn't.

  2. Neil Barnes Silver badge

    Amazing

    In the same way that the mobile phone has turned into a pocket entertainment centre the least of whose functions is actually making phone calls, the car has turned into an entertainment centre with wheels; actually going somewhere in it seems to be low on the list of design priorities... what is the actual point of all this connectivity, and in what way is the driving experience improved by it?

    1. abend0c4 Silver badge

      Re: Amazing

      in what way is the driving experience improved

      What's that got to do with a platform ultimately intended to provide ongoing revenue from subscriptions and "optional" extras? Though which in reality is likely to be unusable by the time the vehicle reaches its second owner.

      It reminds me of the early days of mobile phones when the networks thought they would earn a fortune from being the billing intermediary for lots of value-added services.

  3. Anonymous Coward
    Anonymous Coward

    firewalled

    "since the infotainment system is firewalled from controls like steering, throttling and braking"

    Firewalled, like ... not air gapped ? If this is supposed to make me confortable, rest assured it doesn't !

    1. Spazturtle Silver badge

      Re: firewalled

      They connect these units to the canbus so that they can read engine data and use that for their fancy mpg indicator and stuff like that. The canbus was never designed to be secure and I doubt you can properly firewall parts off.

      So much of cars is digital now, there hasn't been a mechanical linkage between the accelerator and the fuel injectors in a long time, breaks are still mechanical but have ABS which is controlled by the computer and some modern cars use full electric power steering with no mechanical linkage.

    2. Lee D Silver badge

      Re: firewalled

      I can't speak for Sync 3, but Sync 2 (which was ironically Windows-based) actually is isolated.

      There is no information from the driving computer (e.g. speedo, mileometer, etc.) that propagates into the Sync 2 system anywhere at all. Even the controls on the steering wheel are separated - cruise control etc. on the left,and entertainment volume, phone etc. on the right. You have the clock on one but not another, the GPS on one but the instrument speedo on the other, and so on.

      The Sync 2 handles bluetooth, wifi (for sharing local connections only), satnav (entirely offline) and - oddly - aircon and as far as I know contains no connection to the car's buses. If you want to replace the Sync 2 with Android units, you basically have to plug in an OBD adaptor to get anything like that. You don't have to plug in to control aircon, for instance, but you do if you want OBD information.

      Given that you can upgrade the Sync 2 to the Sync 3 in many models, I would suspect that this is actually the case going forward too, unless such an upgrade involves a far more drastic rewire than people are letting on.

      And I have personal experience of the Sync 2 because I had the unit fail on me while driving. At first the music was skipping and being odd, then I lost control of the entertainment. Then the unit powered down and I lost aircon. But at no point was the dashboard computer (the one behind the steering wheel that handles and displays MPG, driving settings, etc.) affected, and nor were any driving functions.

      Turned out that the SD card just needed replacement, but the whole entertainment system just bugged out and fell over, while I was driving along happily.

      Apart from that one incident (resolved with a non-corrupt SD card), it was pretty solid.

      But Ford Sync has been through a number of iterations now - QNX, Windows, etc. I'm just going to leave mine on Sync 2 until the car dies, I think. I don't even really use the satnav any more as it costs £150+ (or some piracy) to update the maps and they only surface once every year or so. They can't quite seem to get it right and I don't think throwing it all out and starting again each time is helping.

      That said, it does everything I want it to do which is connect to my phone, play music, turn on the air-con and get out of my way.

    3. Starace

      Re: firewalled

      From what I remember from having a poke at mine, the interface to the car was one PCB, the main processor is a different PCB, and there's a sort of shared memory datapool structure between them with fixed functionality/variable definitions.

      So the operating system not only had no access to a CAN interface but the data that it could access was predefined and it had no way to vary it.

      So I guess more of a data diode than a firewall?

  4. big_D

    Dumb cars...

    This is why cars should be "dumb". This is being found when the cars are still relatively new, what is when a similar fault is found in a 10 year old or a 20 year old car?

    Cars have a much longer life than consumer electronics and unless the manufacturers are willing to invest in long term security, they should leave the vehicles as dumb as possible, at least in terms of accessability from outside the vehicle.

    1. Raphael

      Re: Dumb cars...

      yep, while I like some of the new features, I do miss my old Mini where everything was simple (I even fixed an electrical fault once with a small piece of wire). You just had to remember to have a plastic bag over the distributor cap to make sure no water got in.

  5. TeeCee Gold badge
    Facepalm

    Ford says.

    ...the issue doesn't make their cars unsafe to drive.

    Translation: There has been no official recall issued for this, so we're going to do fuck all about it as usual. We're Ford, we don't give a rat's arse about our customers. Just ask Ralph Nader.

    Real meaning: You're safe until somebody works out a CANBUS exploit that'll run on the hardware.

  6. I miss PL/1

    I hope Ford can get this update out faster than the year long promised Blue Cruise updates. Ford software does not leave me with a warm and fuzzy. I guess that's why they hired the Apple guy to help them come into the 21st century of software development.

    1. X5-332960073452
      Happy

      Have a look at - https://community.cyanlabs.net/c/ford/5

      Great website for updating Ford software, several releases ahead of official channel.

      https://cyanlabs.net/applications/syn3updater/ - is what I use to create USB sticks for updates.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like