We’ve written quite a bit in the past about how many enterprises are ignoring the dangers of voice over IP (VoIP). While we doubt many enterprises are in the practice of using Vonage, as yet another example that VoIP and its protocols are easy to attack, it’s worth noting a Reuters report today that hackers have figured out how to intercept calls made on the Vonage VoIP service, according to Sipera Systems.
Here are the highlights in a press release from Sipera: “Sipera VIPER Lab determined the Vonage VoIP Motorola Phone Adapter (VT 2142-VD) and Vonage service implementations leave users vulnerable to a form of VoIP identity theft, allowing hackers to take over a user’s phone service with a ‘registration replay attack,’ then make and receive calls while impersonating the victim. Incomplete security practices, such as not encrypting traffic, open Vonage users to eavesdropping on private voice and video communications. Hackers can also send multiple SIP INVITE messages to a user, an Internet version of ‘ringing the phone off the hook’ which creates a DoS attack. Leveraging these vulnerabilities, remote attackers can also send malicious messages directly to Vonage users, subjecting them to spam, social engineering and VoIP scams.” Sipera also noted a similar vulnerability with European provider Globe7’s online account access system.
Let it serve as a reminder that, as our threats expert Ed Skoudis wrote recently, enterprises should proceed with caution on any and all VoIP implementations because of the many exploits in the wild. Since VoIP security still isn’t getting the attention it demands, it wouldn’t be surprising if enterprise VoIP attacks soon become more popular; Infonetics Research says half of small and two-thirds of large organizations in North America will be using VoIP products and services by 2010. Of course VoIP security is an area we’ll continue to watch closely.