The Top 9 VoIP Threats For 2008

Mike Cotrone, owner of Greensboro, N.C.-based solution provider Confiance IP Solutions Inc., agreed that the threats are real, but said VoIP security is not yet appearing on many companies' radar screens.

"Anything is possible when dealing with IP," he said. "It's definitely a risk that is out there. If you have a weak link in the chain, anyone can sniff anything off your network."

While Cotrone noted that he's heard no mention of VoIP threats and vulnerabilities from his customers, he said in many cases, it will take one massive outbreak for the reality of VoIP threats to hit home. Still, he said, he recommends customers use VoIP encryption to stave off threats.

"I don't know if there's a true understanding of VoIP-based attacks," he said.

Like Hebert, Sean Johnson, business development manager for Hayes Computer Systems, a Tallahassee, Fla.-based solution provider, VoIP vulnerabilities and threats aren't something he's encountered too often. Johnson said he has, however, been hired by clients who were hung out to dry by previous solution providers.

"VoIP vulnerabilities overall aren't something we've had to deal with so far," he said, adding they can be avoided by putting VoIP on separate VLANs, behind a firewall and using intrusion prevention.

"The reason people may be scared is they're not implementing the proper security with it. If you get into that kind of situation, you're wide open for an attack on that VoIP system," Johnson said.

Rany Polany, president of PWT-IT Solutions Inc., a Santa Clara, Calif.-based system integrator and MSP, said the trick is to stay one step ahead of potential threats and vulnerabilities.

"We actually deal with it all the time," he said. "A major portion of our revenue is designing and building VoIP systems."

A key to staying ahead, Polany said, is a strong security policy.

"Security policies need to be in place," he said. "When we're dealing with IP, there needs to be a security assessment across the entire network. When moving toward a fast IP environment, any VoIP system needs to have security and policy implemented into that network."

Hebert said tightening up operating systems and ensuring that the VoIP network is locked down is essential. He added that the growing variety of attacks will serve as an eye-opener to many companies, especially since each attack that comes their way has a different intent behind it.

"Half of the attacks out there are just for the challenge of doing something. There's always someone out there racing to be the first to do it," he said. "The other half is either malicious or for monetary gain."

But with VoIP deployments increasing in number, Hebert said he expects to see a shift from the "proving it can be done" phase.

"There's going to be a large element that is purely malicious, looking to sabotage or take down a call system," he said.

Joglekar agreed."VoIP is going to be looked at as one more tool in [a hacker's] arsenal," he said. "People trust their phones and someone is going to try to exploit that trust."