republican-creole
site Search:


 
   
story category
Your Vonage Account At Risk
To Identity Theft, Eavesdropping and Other Exploits
by JerseyDevil Thursday 25-Oct-2007 tags: security · VoIP · Vonage
VoIP security firm Sipera Systems yesterday issued several security advisories saying Vonage VoIP service was vulnerable to spoofing, eavesdropping, and remote exploits. Problems with the Vonage VT 2142-VD adapter and Vonage's security practices leave Vonage customers vulnerable to a "registration relay attack," which could allow a hacker to make and receive calls as the targetd victim. More from the news release:

Incomplete security practices, such as not encrypting traffic, open Vonage users to eavesdropping on private voice and video communications. Hackers can also send multiple SIP INVITE messages to a user, an Internet version of “ringing the phone off the hook” which creates a DoS attack. Leveraging these vulnerabilities, remote attackers can also send malicious messages directly to Vonage users, subjecting them to spam, social engineering and VoIP scams.

According to the company, they alerted Vonage to the problems a month ago, but never received a response.

view: topics flat text 
Post a:
compuwizz

join:2001-03-05
Reston, VA

Nothing new

You could use this for every SIP based VoIP company and almost every adapter that is set to receive anonymous SIP calls.

sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
Reviews:
·Optimum Online

Re: Nothing new

said by compuwizz:

You could use this for every SIP based VoIP company and almost every adapter that is set to receive anonymous SIP calls.
Yeah, this is not news.

Even much more expensive business PBX services have most of the same flaws. SIP was made in friendlier times.

jester121
Premium
join:2003-08-09
Lake Zurich, IL
Reviews:
·voip.ms

Re: Nothing new

said by sporkme:

Even much more expensive business PBX services have most of the same flaws.
Not unless they were implemented by idiots. Corporate VOIP traffic doesn't travel unencrypted over the public internet.*

* - earlier "idiot" caveat applies.

sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
Reviews:
·Optimum Online

Re: Nothing new

said by jester121:

said by sporkme:

Even much more expensive business PBX services have most of the same flaws.
Not unless they were implemented by idiots. Corporate VOIP traffic doesn't travel unencrypted over the public internet.*
Do you want a really long list of "business" VoIP providers that sell a managed remote PBX product?

jester121
Premium
join:2003-08-09
Lake Zurich, IL
Reviews:
·voip.ms

Re: Nothing new

said by sporkme:

said by jester121:

said by sporkme:

Even much more expensive business PBX services have most of the same flaws.
Not unless they were implemented by idiots. Corporate VOIP traffic doesn't travel unencrypted over the public internet.*
Do you want a really long list of "business" VoIP providers that sell a managed remote PBX product?
Not really, I've had experience with several, and if their installers didn't secure the connections via ACLs or implement other security measures, THEY ARE IDIOTS.

Do you want keep arguing? It's a slow day here at work, and I'm a good typist. Idiot is a fun word to type so I can go all day.

digiblur
Got Sipura?
Premium
join:2002-06-03
Louisiana
Very old news... send all the SIP INVITEs you want to my IP address. I've got 6 lines of VoIP registering from behind my router. I'll give you my IP address. Bet you can't make 'em ring. Sure you could probably flood my IP but that's nothing new either.
--
Make your Sipura speak. »www.voipurize.com
And now for the PAP2-NA and unlocked PAP2's.

Romney2012
Defeat Obama 2012-Chg we can believe in
Premium
join:2002-03-03
USA
kudos:4

Vonage techs too busy testifyng to check it out

According to the company, they alerted Vonage to the problems a month ago, but never received a response.
Probably because all of Vonage's researchers are busy testifying or getting ready to testify in patent lawsuits.
--
--
Internet News
My BLOG
My Web Page
fiberguy
My views are my own.
Premium
join:2005-05-20
kudos:3

Re: Vonage techs too busy testifyng to check it out

So if this is stolen technology, if they hack my account, can I sue Sprint, Verizon/MCI, and now AT&T? After all, it's their technology that is flawed... Vonage just stole it! haha
--
"Complaining is the least path of resistance for the self-serving, the lazy, and I’m told it’s a woman’s prerogative..."

footballdude
Premium
join:2002-08-13
Imperial, MO

Re: Vonage techs too busy testifyng to check it out

said by fiberguy:

So if this is stolen technology, if they hack my account, can I sue Sprint, Verizon/MCI, and now AT&T? After all, it's their technology that is flawed... Vonage just stole it! haha
How could you sue someone for inventing a technology? It would be Vonage that implemented it for you.

Yeah, I know you're just kidding. I'm just saying, though.....
--
What's certain about Darwinism is that it would take less time for (1) a single-celled organism to evolve into a human being through mutation and natural selection than for (2) Darwinists to admit they have no proof of (1) - Ann Coulter
fiberguy
My views are my own.
Premium
join:2005-05-20
kudos:3

Re: Vonage techs too busy testifyng to check it out

Well.. don't we live in the age of sue-em? Yes, I was just kidding,... but really look at this...

A casino has a slot machine that said it was going to pay out over 1 million dollars.. the machine, somewhere in small print on the back maybe says the max any of that machine will pay is $2,500. It's initial findings is that they can't sue the casino.. BUT, a former supreme court judge DID say that the player could go after the software maker since it was their mistake..

On a serious note.. apply my funny to this situation. When those companies that developed the technology that Vonage stole, got sued, had to pay and then legitimized .. that product now has these sue happy people's names all over it - and in my opinion, all the potential problems that go with it.

Yes.. I am being funny.. but, at the same time, there could be a little something in there as well. COULD be..
--
"Complaining is the least path of resistance for the self-serving, the lazy, and I’m told it’s a woman’s prerogative..."

swintec
Premium,VIP
join:2003-12-19
Alfred, ME
kudos:3
Reviews:
·RapidVPS
·Sprint Mobile Br..
·VoicePulse
·RoadRunner Cable

Unencrypted???

I don't know of any VoIP carrier who has encrypted calls yet. I think they went with Vonage in there report to jump on the bashing bandwagon of them.
--
BlockNews.Net- Quality Usenet Block And Unlimited Accounts
manny7437
Premium
join:2007-10-17
North Port, FL

action tec

they are working on acttec a new firm ware that will not burn out the fios moden rt now make sure that when you get it intall at you home tell tech from verizon to check rf reading at moden can not be to hot will burn it up need to be at least + 2 or not less than -4 good luck

Romney2012
Defeat Obama 2012-Chg we can believe in
Premium
join:2002-03-03
USA
kudos:4

Re: action tec

said by manny7437:

they are working on acttec a new firm ware that will not burn out the fios moden rt now make sure that when you get it intall at you home tell tech from verizon to check rf reading at moden can not be to hot will burn it up need to be at least + 2 or not less than -4 good luck
And what has this to do with the subject of the news item?
--
--
Internet News
My BLOG
My Web Page
fiberguy
My views are my own.
Premium
join:2005-05-20
kudos:3

Re: action tec

Forget the subject line, I can't even figure out what he's even talking about.

swintec
Premium,VIP
join:2003-12-19
Alfred, ME
kudos:3

Re: action tec

Maybe he is ahead by a day and thinks its the Friday Open Thread?
Cyber2lz

join:2001-11-15
Odessa, FL
Na, He just thinks it's Friday!!!!

Oh, and alcohol is was/is involved
--
The Light Pipe is the Right Pipe !!!
manny7437
Premium
join:2007-10-17
North Port, FL
sorry i was responding to wrong email
lordofwhee

join:2007-10-21
Everett, WA

Old

Anyone involved in basically any hacking community knew about the vulnerabilities of VoIP over a year ago, why is this news?

meister_sd
Premium
join:2006-01-29
La Mesa, CA
kudos:7

Re: Old

I'm starting to get into Asterisk and more self hosting VoIP. Got any references to these vulnerabilities or sites? I'd like to learn more about locking the system down.

laserjobs
Premium
join:2004-05-02
Las Vegas, NV

Other VoIP providers

This is nothing new, I know other VoIP providers with way worse security. Surprisingly they don't really seem to care either.
--

Vote for Ron Paul in the Republican Primaries
bngdup

join:2007-02-20
Old Bridge, NJ
Reviews:
·Cablevision

Re: Other VoIP providers

They don't care because its just not that easy to "gain access" to the local network hub for a given community, sniff out ONE user's specific traffic, and decode that traffic, find the Needle in the haystack, just to place an anonymous phone call to some VOIP customer or steal their credentials to make a few international calls. No real threat here just your average run of the mill FUD. Using Vonage to get headlines and sell some "consulting" services.
priller

join:2000-10-20
Gainesville, VA

Just self promotion


Nothing new here. Most, if not all, of these so called vulnerabilities apply to any consumer VoIP provider.

This "security company" has not exposed any unknown vulnerabilities based on intelligent research. They are just explaining how things work. Probably funded by the telco's to discredit Vonage.
jay_rm

join:2002-04-12
Netville

Re: Just self promotion

The "new" Sipera Systems must be on the troll for more VC fishfood

La Luna
Survived Ashraful
Premium
join:2001-07-12
Warwick, NY
kudos:3

And.....

It seems that only one adapter is a problem in this case.

Problems with the Vonage VT 2142-VD adapter...
jsarcone

join:2002-10-12
Howell, NJ

Re: And.....

That's what I don't understand all phone adapters use this RT protocol, Linksys and other. Aren't they at the same risk?
priller

join:2000-10-20
Gainesville, VA

Re: And.....


... and why do they single out Vonage by name when things like unencrypted RTP affects every consumer VoIP provider I know of?

I'm more convinced then ever that Verizon or AT$T has their hands in this.
jsarcone

join:2002-10-12
Howell, NJ
Reviews:
·Vonage

Re: And.....

Not that VT 2142-VD isn't a problem but they are listing issue that every manufacture has. I do think some is behind this and not that Vonage deserves some of the heat but lets put the blame on where it is needed; the whole industry. Verizon, ATT etc...

nolancj

join:2002-06-30
Long Beach, CA

My take on the matter

Let's see.. I can worry about "Hackers" Randomly attacking my vonage lines, OR, I can worry about the major Telcos complying with every whim of the federal government for eves-dropping and logging POTS calls? Hmm....

Personally, I'll take the "hackers"

jester121
Premium
join:2003-08-09
Lake Zurich, IL

Re: My take on the matter

Sounds like someone has a guilty conscience.

nolancj

join:2002-06-30
Long Beach, CA

Re: My take on the matter

said by jester121:

Sounds like someone has a guilty conscience.
Haha... not really, but I do have my tinfoil hat on

esc0

@rr.com
Could not have said it any better. Thanks for pointing this out. DAMN telcos.
doncute18

join:2003-04-08
12365

Public Stunt

Vonage has great security features on there back end. They are using Vonage just to get headlines like you guys are saying. Its easier to tap into your regular pots line then a Vonage Line. ALSO Off Beat BUT COmcast SUCKS GET RID OF THEM. I hate them so much. Just releiving some STEAM..

Transmaster
Don't Blame Me I Voted For Bill and Opus

join:2001-06-20
Cheyenne, WY

This is formation is brought to you by...........

Verison
AT&T
Comcast
Qwest
Skype
Microsoft
and every other VoIP service out there.

You can't trust Vonage, you need to sign up with us.
--
Eat a BLT for Iran
priller

join:2000-10-20
Gainesville, VA

Sipera Protection for VoIP Vulnerabilities

Sipera Protection for VoIP Vulnerabilities
»www.sipera.com/index.php?action=···,default

They just happen to sell product that address VoIP vulnerabilities.

Talk about coincidence! That's outright spooky!

Must be the same marketing crew that does Symantec.

Monday, 04-Jun 23:16:37 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 12.5 years online © 1999-2012 dslreports.com.