Keeping Hackers Off VoIP

Any new technology has bugs in its system to work out, and phone calls that run over the Internet are no exception.

VoIP, or voice-over-Internet protocol, calls can get "spoofed," SPIT" (spam-over-Internet-telephony), "sniffed" and even stalked by "computer zombies" that hackers control remotely to launch all kinds of attacks. However exotic the language, the logic is clear: These are serious security issues.

The problem is even the experts don't agree on how to address the challenges.

Take encryption, for instance. The average VoIP subscriber, lured by a price tag that's 80% and 90% less than a land line, is comforted to hear that his VoIP provider "encrypts," or protects, phone calls.

But while some fully encrypt calls, others don't, says Vincent Weafer, senior director of security response at Symantec(SYMC Quote), the company that created the popular Norton antivirus software. "Everyone I've looked at encrypts at least the initial user-authentication portion of the call, which is the most sensitive data because it contains your user ID and password."

Encryption promises often aren't fully reliable, says Doug Graham, a consultant for BusinessEdge Solutions in East Brunswick, N.J., whose clients include AT&T (T Quote), Verizon Communications (VZ Quote) and Time Warner's (TWX Quote) cable unit.

"Most companies say encryption helps, but once the conversation starts, that conversation is generally not encrypted or protected." Only some companies own the wires end to end, which is why they can't guarantee content remains private," says Graham.

Vonage (VG Quote) spokeswoman Brooke Schultz says encrypting private conversations isn't necessary. "It would be very hard to target into one conversation -- the hacker would have to have access to a network or to a home user's machine."

But that's exactly what they do, say Weafer and Graham. Special software can eavesdrop, intercept and interrupt your calls, says Weafer. If your leave your computer unprotected and a hacker steals your user ID and password, he can start to "impersonate you and make calls in your name." VoIP attacks range from the merely mischievous (calls that "spoof," or pretend, to be you) to the malicious (calls that redirect financial transactions to a third party).