It’s not a good week for Vonage. VoIP Security firm Sipera has announced that they’ve discovered a vulnerability in Vonage’s equipment that can allow hackers to take control of user accounts to intercept calls, make calls via the accounts, eavesdrop, or launch DoS attacks. Although most VoIP systems are about as secure as sending IM messages over a public wifi network (that is, not secure at all), Vonage has a couple of special problems with its Motorola adapters not authorizing requests, which leaves a special door open for bad people doing bad things. The problem also affects adapters from Grandstream and Globe7.
The Sipera website provides more details:
Sipera VIPER Lab determined the Vonage VoIP Motorola Phone Adapter (VT 2142-VD) and Vonage service implementations leave users vulnerable to a form of VoIP identity theft, allowing hackers to take over a user’s phone service with a “registration replay attack,” then make and receive calls while impersonating the victim. Incomplete security practices, such as not encrypting traffic, open Vonage users to eavesdropping on private voice and video communications. Hackers can also send multiple SIP INVITE messages to a user, an Internet version of “ringing the phone off the hook” which creates a DoS attack. Leveraging these vulnerabilities, remote attackers can also send malicious messages directly to Vonage users, subjecting them to spam, social engineering and VoIP scams.
According to news reports today, Sipera alerted Vonage over a month ago but has never received a response.