Vonage users could be vulnerable to identity theft, eavesdropping...

adapter registers itself on the Vonage server every 20 seconds, it said. But the server challenges only the initial registration and it accepts subsequent messages without authentication, the company said. An attacker could replay a Vonage subscriber’s register message with a spoofed IP address and send it to the server, hijacking phone service, it said. Eavesdropping is possible, because Vonage doesn’t encrypt voice conversation packets sent over the VoIP network, Sipera said. Vonage users also may be open to spam and denial of service attacks, Sipera said. The Vonage-Motorola phone adapter doesn’t authenticate session initiation protocol (SIP) requests from the server used to ring the phone and start a conversation, it said. Since the phone adapter checks only that the IP address matches the Vonage server’s, an attacker could impersonate Vonage and directly call users, it said. Attackers also could exploit the vulnerability to flood users with SIP requests, preventing Vonage users from sending or getting calls, Sipera said. Sipera said it told Vonage about the problems more than a month ago, but got only an automated response. Sipera has an ulterior motive, a Vonage spokesman said. “Sipera appears to be in the business of providing a VoIP ’security solution’ and has previously attempted to sell their products to our company,” he said. “Vonage is not a customer of Sipera’s products.” Selling Sipera services isn’t the goal, a Sipera spokesman said. Sipera is “not that much different” from independent researchers Symantec and McAfee, and has worked with other businesses at no charge to help publish security patches, he said. Sipera is studying other VoIP providers and will publish notices “the next few months,” it said.