Article

Vonage VoIP service plagued by security holes, researchers say

Michael Morisy
Unsuspecting Vonage users might find themselves vulnerable to account hijacking, eavesdropping and denial-of-service (DoS) attacks, Sipera System's VIPER lab said last week.

"These attacks actually do happen out in the wild," said Eric Winsborrow, Sipera's chief marketing officer. He said many of these exploits were straightforward and preventable if proper security protocols were followed.

Possibly the most serious of the vulnerabilities was the ability of an attacker to forge a user's identity and take over his session -- a registration replay attack.

"Vonage doesn't do a lot of authentication or a lot of re-authentication," Winsborrow said. "Simply knowing the user's number and that they're online allows Vonage hijacking."

Most of the vulnerabilities are probably not limited to Vonage, but Sipera said it released the information a month after initially trying to get a response from Vonage on the vulnerabilities.

Charlie Sahner, a spokesperson for Vonage, said that Sipera is in the business of providing "VoIP solutions" and that Vonage declined to be a customer of Sipera's products.

"VoIP systems like Vonage are actually more secure than landlines," he said.

Citing legal counsel, Vonage declined to comment further on the security allegations.

Nevertheless, Sipera labs said customers deserve the right to be educated about their security and privacy.

"Security devices are available to prevent all these," said Sachin Joglekar, vulnerability research

    Requires Free Membership to View

lead at VIPER lab. Particularly disturbing, he said, was that the DoS attack required fewer than 10 connections per second to bring down an account.

Winsborrow said Vonage and other providers cut security corners to lower costs, but consumers must be educated to demand protection of their data from malicious hackers. VIPER labs has posted a list of VoIP vulnerabilities and suggested that consumers and enterprises take a proactive approach to ensuring that their voice data is properly secured.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: