Overlooked VoIP Security Issues?

penciling_in asks: "Voiponder is running an informative article identifying VoIP attacks, which are applicable to current systems but lack public awareness and are, for the most part, misunderstood. The author's primary purpose is to 'discuss two of the most well known attacks that can be carried out in current VoIP deployments. The first attack demonstrates the ability to hijack a user's VoIP Subscription and subsequent communications. The second attack looks at the ability to eavesdrop in to VoIP communications.' This leaves me begging the question: What other not-so-publicized VoIP security issues should companies be watching out for?"

Securityschmurity

[thegrassyknowl]

People have trusted their telephone lines for years.

It's easy for someone to listen in on your phone call. All they need to do is be in a position of trust between your handset and the other person's handset. You wouldn't even know they were there. Do you really trust all the line techs and the people who run the telecoms networks not to snoop on you?

Admittedly, it's not as easy to hijack a phone line unless you are in the same position of trust. VoIP makes stealing the connection a little easier. Software faults lead the way to security issues and the ability to break into VoIP servers or just do nasty things to the data on the wire.

I liken VoIP to having a cordless phone on your line. With the right equipment I can sniff a corless phone call and play back the parts of it that tell the base station the handset wants to make a phone call. DECT is a littler harder, but apparantly still doable. If you're still using a 30MHz FM cordless phone then the right equipment is available for tens of dollars at your local rat shack!

Phil Zimmermann recently released some encrypted VoIP software that solves the eavesdropping problem with a good level of security. I can imagine that phone companies and governments will soon be trying like shit to outlaw encrypted VoIP comms because it means all those wiretaps they are so fond of doing become useless.

I trust my VoIP provider, currently. I log into their SIP server which is at the other end of my DSL connection. They are also my ISP so I know my data never leaves their network except when it is put back on the PSTN. This also has advantages for downstream QoS (they implement it for their own SIP server) so I don't ever get dropouts.