Automated Black-Box Fuzzing of Bluetooth Interfaces in Automotive ECUs

This thesis introduces CAPutt, a modular, over‑the‑air black‑box fuzzing framework for Bluetooth Classic tailored to automotive systems where source code and instrumentation are unavailable. CAPutt combines two complementary engines: a Service Fuzzer that perturbs higher‑layer payloads over valid L2CAP channels, and a stateful L2CAP Fuzzer that mutates structure‑aware fields to drive negotiated and transitional states. The framework emphasizes automation and resilience through online mutation aligned to negotiated parameters, HCI‑level capture and logging, a replay module for minimal triggering sequences, and robust recovery from disconnects. We evaluate CAPutt in a controlled lab that mirrors MQB/MEB benches, targeting Volkswagen’s ICAS3 (BlueSDK) with BlueZ on Raspberry Pi as a baseline. Campaigns systematically exercised L2CAP and exposed services, fuzzing each PSM for at least 24 hours and spanning roughly two months overall. In the absence of coverage feedback, effectiveness was inferred from externally observable metrics: rejection rate, disconnection rate, log‑derived state coverage, and throughput. Results reveal a clear contrast: under random mutation, BlueZ mostly issues protocol rejections while keeping the link alive, whereas BlueSDK aggressively drops connections on malformed input, depressing throughput via reconnection overhead. Stateful L2CAP fuzzing reduces rejections on BlueZ—indicating deeper exploration—while BlueSDK remains defensive. Service fuzzing displays similar behavior across stacks, consistent with preserved session scaffolding. CAPutt uncovered one reproducible crash sequence that triggered a device reboot and two availability‑impact anomalies; all were validated via timestamp correlation, minimal‑sequence replay, and reproducibility checks, and reported under responsible disclosure. Contributions include a practical and modular black‑box framework with complementary engines, a metric‑driven evaluation method for black‑box settings, and empirical characterization of BlueSDK vs. BlueZ. Future work spans protocol‑specific mutators, BLE (including LE Audio), compliance/interoperability checks, automated triage, learning‑guided input selection, and performance optimizations.