VoIP Security: Secrets and Hype
by Ari Takanen
Security

(Is There) Motivation for VoIP Fuzzing

3 comments | 3I like it!
Tags: fuzzing, security, telecommunications, testing, voip
More »
Recent Posts
September 4, 2008, 02:06 AM — 

We (at PROTOS research) released our first free VoIP fuzzers in 2002, and were amazed by the success! Everyone seemed to immediately adapt them into their quality assurance and security assessment practices. Some people still use them!

We (at Codenomicon) simultaneously released a commercial fuzzer. A number of other security companies have also released their own versions, some good, but most of them worse than even the first original release by us (IMHO).

What have we learned during these six or so years of proactive security work with VoIP fuzzing? Here is my top ten discoveries.

#1 Availability

A free open source fuzzer will be used by everyone. Provided the tool is easy to use, and easy to integrate in your processes, there is no reason not to use it.

#2 Requirements

After tools are used by end users of VoIP, the market creates a requirement for manufacturers to also use the tools. Carriers and service providers have done a good work at this.

#3 Poor consumers

Nobody cares for consumer products, or so it appears. Unfortunately there is no market requirement for testing consumer products.

#4 Open source projects

Let's face it, there is no test tool budget for FOSS (free open source software). Fortunately some government agencies and service providers depend on these products, and sometimes contract people to test some of them.

#5 Coverage

Interesting studies on fuzzer coverage are mostly ignored by the industry. This might be due to bad requirements from the customers, i.e. if any fuzzer will do, then the cheapest is used.

#6 Disclosure

Vulnerability disclosure has no influence on fuzzer usage. Free testing is free testing. When other people fuzz the product, and report problems, people think that the work is done for them.

#7 Forums have failed

Quality assurance forums have not yet found security testing. Security forums do not care for tools, but are services driven.

#8 Certification

Almost all certification efforts are commercially driven, and do not provide an open forum where the differences between fuzzing techniques can be discussed. Participation in expensive and closed. All certification efforts have failed. People shop for easiest certification levels, not the best ones.

#9 Metrics

There are no accepted metrics for fuzzing.

#10 Processes

Who should do fuzzing, and when. Nobody knows.

So what is the status of VoIP fuzzing today? It is still an emerging business where the key driver for adaptation is responsibility of the actors involved. You do not need to do it, but if you do then the results will be extremely positive. Fuzzing provides a competitive edge that you do not necessarily want to share with your competitors.

I like it!
Comments
3 comments Add a comment

I started up a recent

I started up a recent Fuzzing project that was used to target Asterisk, the Open Source PBX. Well, the fuzzer worked out quite well. I was able to test the foremost portion of the IAX protocol stack within a day. By day two I was spending most of my time parsing gigs of logs and back traces. No human could do this without fuzzing. No exceptions.

Currently and unfortunately Digium does not understand the inevitable requirement of Asterisk having a Secured SDLC. I have to agree with you concerning that consumer products usually receive less security testing. Well, how many businesses run Asterisk right now? Should they expect to have Secure Code?

voip 0day
by Algo Rythmn (not verified) on 9/9/08 at 2:32 pm | reply

Digium definitely touches

Digium definitely touches many of the points I made in the original post as it is kind-of free and kind-of open source. Motivation for a QA budget can be problematic when you cannot really show any return for the investment (i.e. more sales).
by Ari Takanen on 9/15/08 at 5:30 am | reply

Linkbit fuzzing tool

Ari,

One of our customers asked for H.248 fuzzer, as it's not covered by PROTOS tool. Can I contact you over email?
by Michael Sukhar (not verified) on 10/1/08 at 10:28 pm | reply
View all comments »
Free books

Build your tech library with our book giveaways.

Hacking Exposed, Sixth Edition
By Stuart McClure, Joel Scambray, George Kurtz; Published by McGraw-Hill/Osborne

The original Hacking Exposed authors rejoin forces on this tenth anniversary edition to offer completely up-to-date coverage of today's most devastating hacks and how to prevent them. Using their proven methodology, the authors reveal how to locate and patch system vulnerabilities. The book includes new coverage of ISO images, wireless and RFID attacks, Web 2.0 vulnerabilities, anonymous hacking tools, Ubuntu, Windows Server 2008, mobile devices, and more. Enter now!

Featured Sponsor
Case Study: AISO grows its "green" business

AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.

Download this white paper »
Myth of the Million Dollar Database

In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.

Download this white paper »
Success Story: Weather.com handles whatever nature serves up

On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.

Download this white paper »
Marketplace