ThreadFuzzer: Fuzzing Framework for Thread Protocol

TL;DR

ThreadFuzzer is a novel fuzzing framework specifically designed for testing the Thread protocol, uncovering new vulnerabilities in OpenThread and demonstrating effectiveness against existing fuzzing benchmarks.

Contribution

It introduces the first dedicated fuzzing framework for Thread, including a new TLV Inserter, and evaluates its effectiveness in discovering vulnerabilities.

Findings

Uncovered five previously unknown vulnerabilities in OpenThread.

Successfully reproduced vulnerabilities on commercial Thread devices.

Outperformed existing fuzzing setups like AFL++ in effectiveness.

Abstract

With the rapid growth of IoT, secure and efficient mesh networking has become essential. Thread has emerged as a key protocol, widely used in smart-home and commercial systems, and serving as a core transport layer in the Matter standard. This paper presents ThreadFuzzer, the first dedicated fuzzing framework for systematically testing Thread protocol implementations. By manipulating packets at the MLE layer, ThreadFuzzer enables fuzzing of both virtual OpenThread nodes and physical Thread devices. The framework incorporates multiple fuzzing strategies, including Random and Coverage-based fuzzers from CovFuzz, as well as a newly introduced TLV Inserter, designed specifically for TLV-structured MLE messages. These strategies are evaluated on the OpenThread stack using code-coverage and vulnerability-discovery metrics. The evaluation uncovered five previously unknown vulnerabilities in the OpenThread stack, several of which were successfully reproduced on commercial devices that rely on OpenThread. Moreover, ThreadFuzzer was benchmarked against an oracle AFL++ setup using the manually extended OSS-Fuzz harness from OpenThread, demonstrating strong effectiveness. These results demonstrate the practical utility of ThreadFuzzer while highlighting challenges and future directions in the wireless protocol fuzzing research space.