There are a handful of very bright 13-year-olds out there who can do remarkable things, and there are not-so-bright 13-year-olds who have access to software designed by others to detect and explore security vulnerabilities.
It's become an everyday fact of life that all vendors have security bugs in their products. It's fairly rare that developers and quality assurance (QA) teams can find all of their own security flaws before a product ships. More often than not, a third party (an end user , security enthusiast, and so on) is responsible for unearthing a security flaw in many of the more widely used products today. To get a sense of this, simply read the acknowledgments section of some of the security advisories listed on Cisco's (http://www.cisco.com/security/) or Microsoft's (http://www.microsoft.com/technet/security/current.aspx) security response websites .
However, you can't simply judge the security strength of a VoIP application or device merely on the number of security issues that are discovered . If a technology or application is not as widely used, or is cost prohibitive for the masses to poke at, it is obviously a less accessible security research target. For many security enthusiasts , there's more sex appeal in discovering a security vulnerability in Microsoft's Internet Explorer Browser (top market share) rather than the lesser-known Opera Browser (less than 3 percent market share). It is no different for VoIP products; we've only reached the tip of the iceberg with the general security community scrutinizing many of these new devices and applications. Also, many VoIP vendors are now starting to target the consumer market with affordable home VoIP offerings.
Security researchers and the common tech enthusiast can discover security vulnerabilities in a VoIP product either through dumb luck or through methodical black box testing. As the name might suggest, black box testing occurs when a tester has neither inside knowledge nor source code to the targeted device or application (thus a virtual black box). Besides reverse engineering the application itself, black box testing is usually the easiest approach to uncovering security issues. Some of those security issues may result in the application or device crashing, while others, after some investigation, may allow an attacker to execute commands of his choosing on the victim application.
This chapter focuses on one type of black box testing called fuzzing.