Q: How is VoIPshield Labs different from other security research laboratories?
A: There are several major differences:
Q: Are your vulnerabilities mostly applicable to Microsoft Windows? Most vulnerabilities are.
A: No. The majority of enterprise VoIP systems do not use Windows on their server platforms. More common is Linux, Unix or real time OS systems. VoIPshield Labs has a proven methodology and years of experience researching applications for both Windows and Unix-type systems.
Q: Are you another SIP protocol research shop?
A: It is a common mistake to associate VoIP security with SIP problems. They are not the same. SIP is only one of the many protocols used to deliver VoIP services. Yes, our research includes different vendors' SIP implementations as part of our VoIP signaling research, but we also cover most other standard signaling protocols, such as H323, as well as verdor proprietary signaling protocols like Skinny and UNIStim. In addition, our recent work also covers the common media protocols, such as RTP, RTCP , and supporting UC protocols such as STUN and others.
Q: Does VoIPshield Labs perform custom research?
A: Yes. Our wide range of experience allows us to apply our specially-developed research tools and techniques to any IP-based product. We have done custom vulnerability research for companies preparing to launch a new VoIP product, for example. In this case, the results of our research is made known only to the company funding it.
Q: Is it always possible to find vulnerabilities? My VoIP vendor says that their system is secure.
A: Every application contains serious security vulnerabilities. These are bugs that are inadvertently missed by the vendor during final testing. Some are more obscure than others, and some are more serious than others. The challenge is to find them (before the bad guys find them) and create protections against the attacks designed to exploit them.for them.
Q: How does VoIPshield Labs uncover these vulnerabilities?
A: We use a number of techniques and tools that are part of our proprietary methodology. These include reverse engineering and debugging tools, fuzzers, packet injectors and so on, but most importantly we rely on our unique knowledge and skills, honed over many years of iterative process improvement. The type of specialized work we do is a true combination of art and science.
Q: Where can I see some examples of your work?
A: Check out our published Vulnerability Advisories.