According to a report released today by VoIP security firm Sipera Systems, Internet phone service company Vonage may be vulnerable to attacks by hackers through a variety of different means including eavesdropping, spam, spoofing and denial-of-service (DoS) attacks. The security company stated that it had informed Vonage of the problem more than a month ago, but that the company had not responded to the warning. Vonage spokesman Charles Sahner declined comment.
The Sipera VIPER Lab determined the Vonage VoIP Motorola Phone Adapter (VT 2142-VD) and Vonage service implementations leave users vulnerable to a form of VoIP identity theft, allowing hackers to take over a user's phone service with a "registration replay attack" and then make and receive calls while impersonating the victim. Incomplete security practices, such as not encrypting traffic, open Vonage users to eavesdropping on private voice and video communications. Hackers can also send multiple SIP INVITE messages to a user, an Internet version of "ringing the phone off the hook" which creates a DoS attack. Leveraging these vulnerabilities, remote attackers can also send malicious messages directly to Vonage users, subjecting them to spam, social engineering and VoIP scams.