Fuzzing is a new way to test the security of a system or an application by sending garbage or badly formated data. This attack may crash the target system or, in worst cases, produce unexpected results.
In my new car, I’ve a complete multimedia system (GPS, radio, GSP, MP3, onboard computer, etc). One of the proposed features is to copy the inserted audio CD on the built-in hard drive. Cool! But, wait… It means that data coming from an untrusted source will be read and processed by the system?
I burned a CD with some MP3’s and added some files in an unexpected format (text files, JPEG files). Some MP3 files were renamed with French characters like “Ã©” or “Ã§”. Once the CD inserted, the multimedia system asked me if I would like to rip the CD. Yes of course! It started and a few minutes later… DoS!
Bingo, a Deny of Service hit the multimedia system, no GPS map move, locked display, missing or big delays in information processing. I suspected some CPU overload. I was forced to reboot the whole system. After the reboot, the system just warned me that the copy failed.
Honestly, I did not perform more tests. I need my system up’n’running… 🙂 But this experience proves that any system accepting input from users may be targeted by a fuzzing attack. Think about it!