Fuzzing is a new way to test the security of a system or an application by sending garbage or badly formated data. This attack may crash the target system or, in worst cases, produce unexpected results.
In my new car, I’ve a complete multimedia system (GPS, radio, GSP, MP3, onboard computer, etc). One of the proposed features is to copy the inserted audio CD on the built-in hard drive. Cool! But, wait… It means that data coming from an untrusted source will be read and processed by the system?
I burned a CD with some MP3’s and added some files in an unexpected format (text files, JPEG files). Some MP3 files were renamed with French characters like “é” or “ç”. Once the CD inserted, the multimedia system asked me if I would like to rip the CD. Yes of course! It started and a few minutes later… DoS!
Bingo, a Deny of Service hit the multimedia system, no GPS map move, locked display, missing or big delays in information processing. I suspected some CPU overload. I was forced to reboot the whole system. After the reboot, the system just warned me that the copy failed.
Honestly, I did not perform more tests. I need my system up’n’running… 🙂 But this experience proves that any system accepting input from users may be targeted by a fuzzing attack. Think about it!