Fuzzing a Car Multimedia System?

(Source: clarion.com)
Source: clarion.com

Fuzzing is a new way to test the security of a system or an application by sending garbage or badly formated data. This attack may crash the target system or, in worst cases, produce unexpected results.

In my new car, I’ve a complete multimedia system (GPS, radio, GSP, MP3, onboard computer, etc). One of the proposed features is to copy the inserted audio CD on the built-in hard drive. Cool! But, wait… It means that data coming from an untrusted source will be read and processed by the system?

I burned a CD with some MP3’s and added some files in an unexpected format (text files, JPEG files). Some MP3 files were renamed with French characters like “é” or “ç”. Once the CD inserted, the multimedia system asked me if I would like to rip the CD. Yes of course! It started and a few minutes later… DoS!

Bingo, a Deny of Service hit the multimedia system, no GPS map move, locked display, missing or big delays in information processing. I suspected some CPU overload. I was forced to reboot the whole system. After the reboot, the system just warned me that the copy failed.

Honestly, I did not perform more tests. I need my system up’n’running… 🙂 But this experience proves that any system accepting input from users may be targeted by a fuzzing attack. Think about it!

4 comments

  1. I suspect that ripping an audio cd would not alter the system.
    It’s only because they allow you to copy mp3 files to the disk. This could happen on any programmed system.

    Just for my information, can you provide me with the details of your equipment (model)? Is this a custom system you installed or is it provided with the car? Which model?

  2. Weird. I would’ve thought a feature like ripping music from a cd, to a local harddrive, would have some build in checks.. like only ripping certain music files and ignore all other file types. That are some of the first things we learn when programming an app in my IT school.

  3. Fuzzing isn’t new and a better, yet not the best, definition could have just been quoted from wikipedia…

    “Fuzz testing or fuzzing is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program.”

    Other than that.. nice post.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.