Existing Thread protocol implementations lack systematic security testing. Method: This paper proposes the first dedicated fuzzing framework for Thread, targeting structured TLV (Type-Length-Value) messages at the MAC Layer Entity (MLE) layer. It introduces a novel TLV Inserter strategy that integrates randomized fuzzing, coverage-guided fuzzing (CovFuzz), and domain-specific message mutation, implemented within the OpenThread stack and evaluated against AFL++. Contribution/Results: (1) It achieves the first deep, structure-aware fuzzing of the Thread protocol stack; (2) it discovers five previously unknown vulnerabilities in OpenThread—multiple of which are successfully reproduced on commercial Thread-enabled IoT devices—demonstrating the framework’s high practicality and strong vulnerability discovery capability in real-world IoT deployments.

With the rapid growth of IoT, secure and efficient mesh networking has become essential. Thread has emerged as a key protocol, widely used in smart-home and commercial systems, and serving as a core transport layer in the Matter standard. This paper presents ThreadFuzzer, the first dedicated fuzzing framework for systematically testing Thread protocol implementations. By manipulating packets at the MLE layer, ThreadFuzzer enables fuzzing of both virtual OpenThread nodes and physical Thread devices. The framework incorporates multiple fuzzing strategies, including Random and Coverage-based fuzzers from CovFuzz, as well as a newly introduced TLV Inserter, designed specifically for TLV-structured MLE messages. These strategies are evaluated on the OpenThread stack using code-coverage and vulnerability-discovery metrics. The evaluation uncovered five previously unknown vulnerabilities in the OpenThread stack, several of which were successfully reproduced on commercial devices that rely on OpenThread. Moreover, ThreadFuzzer was benchmarked against an oracle AFL++ setup using the manually extended OSS-Fuzz harness from OpenThread, demonstrating strong effectiveness. These results demonstrate the practical utility of ThreadFuzzer while highlighting challenges and future directions in the wireless protocol fuzzing research space.