Vonage VoIP service plagued by security holes, researchers say

By Michael Morisy, News Writer 30 Oct 2007 | SearchTelecom.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

"These attacks actually do happen out in the wild," said Eric Winsborrow, Sipera's chief marketing officer. He said many of these exploits were straightforward and preventable if proper security protocols were followed.

Possibly the most serious of the vulnerabilities was the ability of an attacker to forge a user's identity and take over his session -- a registration replay attack.

"Vonage doesn't do a lot of authentication or a lot of re-authentication," Winsborrow said. "Simply knowing the user's number and that they're online allows Vonage hijacking."

Most of the vulnerabilities are probably not limited to Vonage, but Sipera said it released the information a month after initially trying to get a response from Vonage on the vulnerabilities.

Charlie Sahner, a spokesperson for Vonage, said that Sipera is in the business of providing "VoIP solutions" and that Vonage declined to be a customer of Sipera's products.

"VoIP systems like Vonage are actually more secure than landlines," he said.

Citing legal counsel, Vonage declined to comment further on the security allegations.

Nevertheless, Sipera labs said customers deserve the right to be educated about their security and privacy.

"Security devices are available to prevent all these," said Sachin Joglekar, vulnerability research lead at VIPER lab. Particularly disturbing, he said, was that the DoS attack required fewer than 10 connections per second to bring down an account.

Winsborrow said Vonage and other providers cut security corners to lower costs, but consumers must be educated to demand protection of their data from malicious hackers. VIPER labs has posted a list of VoIP vulnerabilities and suggested that consumers and enterprises take a proactive approach to ensuring that their voice data is properly secured.

Tags: Telecom Network Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Telecom Network Management Top five telecom industry trends for 2010: Market transformation ahead Telecom network test equipment takes on strategic role Network performance testing trends show greater operator need Outsourcing strategies for next-generation network operations Global Crossing re-engineers the telecom customer experience Network traffic management targets access and 'middle mile' aggregation infrastructure Carrier traffic management solutions for access, aggregation network Offering realistic broadband service definitions and acceptable-use policies Taking bandwidth management above-board Web-enabled TV looms, but can networks handle the Web on televisions?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary backbone  (SearchTelecom.com) caller ID spoofing  (SearchTelecom.com) carrier signal  (SearchTelecom.com) comfort noise generator (CNG)  (SearchTelecom.com) Ethernet as a service (EaaS)  (SearchTelecom.com) Hayes command set  (SearchTelecom.com) multichassis multilink PPP  (SearchTelecom.com) multilink PPP  (SearchTelecom.com) telecommunications  (SearchTelecom.com) traffic engineering  (SearchTelecom.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary