Security Firm Says Hackers Can Access Vonage Calls

It’s not a good week for Vonage. VoIP Security firm Sipera has announced that they’ve discovered a vulnerability in Vonage’s equipment that can allow hackers to take control of user accounts to intercept calls, make calls via the accounts, eavesdrop, or launch DoS attacks. Although most VoIP systems are about as secure as sending IM messages over a public wifi network (that is, not secure at all), Vonage has a couple of special problems with its Motorola adapters not authorizing requests, which leaves a special door open for bad people doing bad things. The problem also affects adapters from Grandstream and Globe7.

The Sipera website provides more details:

Sipera VIPER Lab determined the Vonage VoIP Motorola Phone Adapter (VT 2142-VD) and Vonage service implementations leave users vulnerable to a form of VoIP identity theft, allowing hackers to take over a user’s phone service with a “registration replay attack,” then make and receive calls while impersonating the victim. Incomplete security practices, such as not encrypting traffic, open Vonage users to eavesdropping on private voice and video communications. Hackers can also send multiple SIP INVITE messages to a user, an Internet version of “ringing the phone off the hook” which creates a DoS attack. Leveraging these vulnerabilities, remote attackers can also send malicious messages directly to Vonage users, subjecting them to spam, social engineering and VoIP scams.

According to news reports today, Sipera alerted Vonage over a month ago but has never received a response.

“Sipera VIPER Lab Reveals Vonage Users Vulnerable to VoIP Identity Theft, Eavesdropping and Other Exploits” [Sipera]

RELATED
“Hackers can divert Vonage calls: security firm” [Reuters]
Sipera Threat Advisories Page
(Photo: Getty)

Comments

Edit Your Comment

  1. SexCpotatoes says:

    Uh Oh, how about Viatalk, are they, and their LinkSys VOIP adapters as vulnerable?

  2. twoback says:

    Any coincidence, that this company Sipera, also makes equipment to secure VoIP communications? At least that explains their motivation for digging this up.

  3. tedyc03 says:

    The copper wires aren’t all that secure either. It just takes more effort because you generally have to physically access the copper but hackers were hacking phone lines long ago. There’s a reason companies and government agencies invest in phones that encrypt voice communications: because unencrypted communications are DANGEROUS.

  4. mconfoy says:

    I am curious if this is true of AT&T’s VOIP too.