Security Test Approach for Automated Detection of Vulnerabilities of SIP-based VoIP Softphones

Schanes, Christian; Taber, Stefan; Popp, Karin; Fankhauser, Florian; Grechenig, Thomas

Home // International Journal On Advances in Security, volume 4, numbers 1 and 2, 2011 // View article

Security Test Approach for Automated Detection of Vulnerabilities of SIP-based VoIP Softphones

Authors:
Christian Schanes
Stefan Taber
Karin Popp
Florian Fankhauser
Thomas Grechenig

Keywords: Software testing; Computer network security; Graphical user interfaces; Internet telephony; Fuzzing

Abstract:
Voice over Internet Protocol based systems replace phone lines in many scenarios and are in wide use today. Automated security tests of such systems are required to detect implementation and configuration mistakes early and in an efficient way. In this paper we present a plugin for our fuzzer framework fuzzolution to automatically detect security vulnerabilities in Session Initiation Protocol based Voice over Internet Protocol softphones, which are examples for endpoints in such telephone systems. The presented approach automates the interaction with the Graphical User Interface of the softphones during test execution and also observes the behavior of the softphones using multiple metrics. Results of testing two open source softphones by using our fuzzer showed that various unknown vulnerabilities could be identified with the implemented plugin for our fuzzing framework.

Pages: 95 to 105

Publication date: September 15, 2011

Published in: journal

ISSN: 1942-2636