The VoIP Risk Factor

In addition to causing a denial-of-service situation, attackers can also hack into VoIP systems and gain access to streams and data being transmitted through signaling protocols, said Peter Thermos, CTO of Palindrome Technologies, a Red Bank, N.J.-based security consultancy. This so-called eavesdropping is a major area of concern for VoIP, according to Thermos.

Exploiting softphones on laptops is another way hackers could gain control over a PC and steal confidential information, Kurapati said. This vulnerability affects a part of the VoIP protocol and implementation that can be exploited as a buffer overflow, according to Kurapati.

Microsoft's unified communications strategy will provide hackers with even more avenues for exploiting VoIP vulnerabilities, Kurapati said. Part of the reason is that the software employs scripting mechanisms such as ActiveX, which have been used by hackers in previous attacks, he said.

Peter Bybee, president and CEO of Network Vigilance, a San Diego-based solution provider, said his clients have grown more concerned about VoIP security over the past year. But in light of the trend of hackers exploiting security vulnerabilities for financial gain, and the fact that this type of tactic has yet to be used against VoIP systems, Bybee said that these fears are based more on theory than reality.

"There is certainly the potential for VoIP to be exploited, and the fact is that SIP is a pretty vulnerable protocol. But we haven't had any cases where it has actually happened," Bybee said. "People are afraid of VoIP exploits categorically, but I think it's a somewhat unqualified threat. There just haven't been enough VoIP-specific exploits, and we haven't seen anyone hurt by it."

People too often don't concern themselves with VoIP security because they haven't seen the impact of the threat and won't be convinced until something actually happens, agreed Labatt-Simon. "But it's only a matter of time before we'll see widespread attacks in which confidential information is breached through VoIP systems," he said.

Security experts say the key to protecting VoIP systems—now and in the future—is to carefully consider security requirements during the design phase prior to implementing the technology. Thermos says that he has seen organizations deploy VoIP and then start thinking about security six months or a year afterward. "People need to stop thinking of security as an added cost to a VoIP deployment. If you do your homework early on, before deployment, you'll have security controls in place and be able to assess if they're implemented correctly," he said.

The fact that the VoIP industry is paying more attention to security best practices bodes well for reaction times once VoIP-related attacks do begin to materialize, 3Com's Endler said. "VoIP security is a shared responsibility between vendors, service providers and the integrators that set up VoIP deployments. I would say it's a group effort," he said.