VOIP gear from major vendors can be made secure, but it doesn't come out of the box that way, experts warned at RSA Conference 2007.

Default settings are the enemy that needs to be dealt with before turning up a VOIP system, according to David Endler, director of security research for TippingPoint, and Mark Collier, CTO of SecureLogix who presented their research on VOIP security at the conference. Both are members of the VOIP Security Alliance, an industry group trying to promote better VOIP security.

Leaving IP phone settings at default can lead to trouble because many phones have Web servers included that can let hackers see valuable information. If these servers have access to the Internet, then Google indexes them. Hackers then direct their browsers at the VOIP devices and probe for data including the address of the VOIP server it is associated with, according to Endler.

Some of these servers have packet-capture as a feature so a compromised phone could bug itself. "That would let you download conversations off the device," says Endler.

Vendors' default voicemail answering messages are unique, so calling the system and listening to the message can tell hackers what brand IP phone system is being used and they can tailor their reconnaissance and attacks accordingly. Phones with default passwords pose even more of a threat, he says.

The remedy is to disable the Web servers on phones, change passwords and record new voicemail greetings, Endler says.

Scans of firewalls can reveal open ports and tools available on the Internet can map those to likely protocols and even vendors' implementations of those protocols. VOIP-aware firewalls can close these ports efficiently so they are only open when they need to be to set up or carry calls, Collier says.

Some phones use the TFTP protocol to communicate with the VOIP server, and tools available on the Internet can help search for the names of configuration files that can contain passwords to telnet ports, for example, opening the phone to malicious manipulation, Endler says.

These phones may also support SNMP, leaving them vulnerable to giving up information that may be used to hack the network. Customers should disable SNMP or use a version of it that requires authentication, he says

If hackers get access to a SIP phone, they can insert rogue software into the call stream to insert content in conversations. So, for instance, such a man-in-the-middle attack might insert embarrassing background noise to make it sound like a business call was coming from a club or ballgame.

This type of attack could also drop calls, redirect them, inject words or phrases or create jitter to disrupt call quality.

The biggest threat to VOIP networks is internal because most corporate deployments connect employees at company sites, but not directly to the rest of the world, they say.

Most attacks that affect VOIP are still those directed at the network itself, not VOIP specifically, Collier says. The key is to make sure general network security is strong and to protect VOIP with added means such as putting calls on VLANs and implementing quality of service to VOIP gets priority regardless of how much traffic floods the network. "Denial of service is the worst threat to VOIP," he says.