VoIP: not ready for prime time, says security group

While many CIOs are salivating over the prospects of VoIP as a way to reduce telecom costs and introduce new ways to integrate voice into enterprise networks, the Jericho Forum security group does not believe that the technology is ready for the enterprise. They reached this conclusion after an eavesdropping vulnerability was made public on the Full Disclosure mailing list this week by a group of researchers who contend a remote attacker could turn a VoIP phone into an eavesdropping device. The researchers singled out vendor Grandstream Networks, as having some "serious bugs" in SIP stack engines that allow attackers to potentially listen into a conversation unnoticed. "You can't run VoIP on a corporate network because you can't trust every single device on that network. VoIP as it stands certainly isn't secure. Going forward, everybody should be using inherently secure protocols," one member said. Ouch. A Grandstream rep told Cnet it is aware of the vulnerability in its software, and will release countermeasures in late September to address the issue.

To read more on the security vulnerability in VoIP:
- see the article in Cnet