Here is an article/slideshow covering "the top 9 VoIP security vulnerabilities". Certainly some of these are true, but the order is a little strange and issues such as DoS are left off. I am going to publish a list as well and DoS is probably the main vulnerability, but I would probably include some traditional issues like toll fraud, because we actually see them in the wild.
Here is a link to a good article on VoIP security. I totally agree with the main points, those being that while VoIP systems are vulnerable, the real threat of attack is still low. We conduct enterprise VoIP assessments and always find vulnerabilities, but rarely ever find evidence of attacks (we have found some).
Here is an interesting article on VoIP security and some potential issues with Vonage's VoIP implementation. This article summarizes several vulnerabilities disclosed by Sipera and their VIPER lab. While I agree that these issues probably exist with Vonage's implementation, I am confident that they also exist with other consumer-oriented VoIP offerings. I haven't spent much time assessing SIP-based consumer offerings, but would expect that security features such as strong authentication, media encryption, etc., are not commonly used yet. I am sure that if Vonage is being used by a consumer, who also has a non-secure wireless, that it is very easy to listen in on calls. Of course, I am not sure this is a huge issue, I guess someone could record their neighbors teen-age daughters conversation with her boyfriend. Heck, maybe I should do this - I have two teen age daughters.
Of course in our house, our landline phone has cobwebs on it. If someone wanted to record our calls, they would have to listen in on our cell calls. As an aside, we do have Time Warner's digital phone, which I hear uses MGCP.
I did want to post Vonage's response. It is sort of funny:
Vonage, for its part, responded to Sipera Systems' claims with the following statement: "Sipera appears to be in the business of providing a VoIP 'security solution,' and has previously attempted to sell their products to our company. Vonage is not a customer of Sipera's products." Given all the attention the announcement brought, it probably won't be for a long time.
Dan York interviewed Dr. Jonathan Rosenberg on the topic of NAT traversal and solutions. He posted the interview on Bluebox Podcast. Along with explaining the NAT traversal issue, there is a good description of ALGs and SBCs, and standard-based solutions like STUN, TURN, and ICE. Check it out: