October 24th, 2007

VoIP Security firm: we informed Vonage of hackability a month ago and haven't heard back

Posted by Russell Shaw @ 5:15 pm

Categories: Security, Vonage

Tags: Vonage Holdings Corp., VoIP Security, Telephony, VOIP, Telecommunications, Security, Networking, Russell Shaw

Well-known VoIP security firm Sipera Systems said today that Internet phone service from Vonage is vulnerable to attacks by hackers, who are able to intercept calls to the company’s subscribers.

A Reuters report adds that Sipera Systems said it had informed Vonage of the problem more than a month ago, but the company had not responded to the warning.

Here’s the Sipera report:

Sipera VIPER Lab, operated by Sipera Systems, the leader in comprehensive VoIP/UC security solutions, today disclosed multiple threat advisories for users of VoIP services and equipment from Vonage, Globe7 and Grandstream. Among other threats, unwitting VoIP users face eavesdropping, spam, spoofing and denial-of-service (DoS) attacks. Full details on these vulnerabilities are posted as an educational security service to Sipera’s customers and the general public at http://www.sipera.com/viper.

Sipera VIPER Lab determined the Vonage VoIP Motorola Phone Adapter (VT 2142-VD) and Vonage service implementations leave users vulnerable to a form of VoIP identity theft, allowing hackers to take over a user’s phone service with a “registration replay attack,” then make and receive calls while impersonating the victim. Incomplete security practices, such as not encrypting traffic, open Vonage users to eavesdropping on private voice and video communications. Hackers can also send multiple SIP INVITE messages to a user, an Internet version of “ringing the phone off the hook” which creates a DoS attack. Leveraging these vulnerabilities, remote attackers can also send malicious messages directly to Vonage users, subjecting them to spam, social engineering and VoIP scams.

“These vulnerabilities create serious privacy and service availability issues for users,” said Krishna Kurapati, Sipera founder/CTO and head of Sipera VIPER Lab. “Vonage, Globe7 and Grandstream customers can no longer assume that their VoIP providers are automatically securing their services, but they should demand best security practices be followed as a condition of becoming a customer. Sipera VIPER Lab will continue to proactively identify VoIP threats and assist VoIP providers to implement best security practices before attacks occur.”

Vonage spokesman Charles Sahner declined comment to the wire service.