I’m guessing there’s going to be a resurgence soon in protocol fuzzing against different VoIP phones, PBXs, and especially VoIP softphones. The practice of fuzzing, otherwise known as robustness testing or functional protocol testing, has been around for a while in the security community. The practice has proven itself to be pretty effective at automating vulnerability discovery in applications and devices that support a target protocol.
The prize for the most prolific university fuzzing results to date belongs to the PROTOS project of Oulu University’s Secure Programming Group. Through various incarnations of student projects, the PROTOS group has been faithfully discovering vulnerabilities in a variety of protocol implementations, including SIP and H.323. Ari Takanen of that group eventually graduated and went on to cofound a commercial fuzzing tool company called Codenomicon, along with others from Oulu. In just the last year alone, the market has seen several other new commercial fuzzing entrants including:
- Musecurity’s Mu-4000
- Gleg.net’s ProtoVer Professional
- Beyond Security’s BeStorm
- Security Innovation’s Hydra
Today, VoIP is starting to become a more interesting target for security researchers as the technology becomes more affordable and popular among enterprise customers. While it would be ideal if all VoIP vendors tested their own products internally for security bugs, the reality is that not all of them have the time, resources, or even the security DNA to find them all ahead of time.
For a great list of other fuzzing tools and presentations, check out Matthew Franz’s wiki.