There are several methods for finding vulnerabilities and issues in Bluetooth-enabled devices, fuzz testing being one of them.
Fuzz testing is a method of feeding applications automatically generated, unexpected inputs. Fuzz testing addresses the question “What happens if I purposely input invalid values into an application?” with efficiency and, based on the sophistication of your fuzzer, effectiveness.
Here’s an example. Let’s say an application has an input field that expects a first name. Fuzz testing enables testers to execute on the question, “What happens if I feed multiple variations of over 10,000 ‘a’ characters into it?” Most security researchers, and perhaps hackers, will likely aim to overflow an unbound memory or trigger other anomalous reactions. Let’s add another level of complexity to this example: What if we were to modify the invalid input by adding a C++ format specifier—for example, “%s”—to trick the application into granting us improper memory access? Can you think of some other unexpected input?
Some applications can handle these types of unexpected inputs just fine. However, others may crash and even allow attackers to execute commands for fun—or for profit at the expense of end users. Unauthorized access and absent fail-safes are particularly concerning in systems and software related to safety-critical fields, such as automotive.
Because practically all modern car kits are Bluetooth-enabled, fuzz testing is highly relevant in the automotive industry. In this post, I’ll explain how we built a solution to fuzz Bluetooth-enabled devices, the challenges we ran into, and how we solved them.