Unsuspecting Vonage users might find themselves vulnerable to account hijacking, eavesdropping and denial-of-service
(DoS) attacks, Sipera System's VIPER lab said last week.
"These attacks actually do happen out in the wild," said Eric Winsborrow, Sipera's chief marketing officer. He said many of these exploits were straightforward and preventable if proper security protocols were followed.
Possibly the most serious of the vulnerabilities was the ability of an attacker to forge a user's identity and take over his session -- a registration replay attack.
"Vonage doesn't do a lot of authentication or a lot of re-authentication," Winsborrow said. "Simply knowing the user's number and that they're online allows Vonage hijacking."
Most of the vulnerabilities are probably not limited to Vonage, but Sipera said it released the information a month after initially trying to get a response from Vonage on the vulnerabilities.
Charlie Sahner, a spokesperson for Vonage, said that Sipera is in the business of providing "VoIP solutions" and that Vonage declined to be a customer of Sipera's products.
"VoIP systems like Vonage are actually more secure than landlines," he said.
Citing legal counsel, Vonage declined to comment further on the security allegations.
Nevertheless, Sipera labs said customers deserve the right to be educated about their security and privacy.
"Security devices are available to prevent all these," said Sachin Joglekar, vulnerability research lead at VIPER lab. Particularly disturbing, he said, was that the DoS attack required fewer than 10 connections per second to bring down an account.
Winsborrow said Vonage and other providers cut security corners to lower costs, but consumers must be educated to demand protection of their data from malicious hackers. VIPER labs has posted a list of VoIP vulnerabilities and suggested that consumers and enterprises take a proactive approach to ensuring that their voice data is properly secured.