The two fundamental messages of the article are the fact that there are VoIP Service providers who misconceive VoIP security and the fact that there is a gap between the standards and products when it comes to supporting certain security features.

The comment "This is also false if we discuss an actual SIP-Proxy implementation." is based on ONE implementation which you have configured and tested in an isolated environment compared to testing 4 different commercial implementations in carrier and enterprise environments respectively. Vulnerabilities vary from one environment to the other. The attacks mentioned in this article have been demonstrated in production environments (including message replay of registrations).

The comment on "BUT: Any other service using IP is also "vulnerable"! This is NOT a VoIP-Problem in the first row if ARP-Poisoning is possible. This is a problem of your LAN-implementation."

The point is that in certain cases VoIP implementations should use encryption. Do you prefer using telnet to administer your environment or ssh, even if it is switched?

PS:

I appreciate that you took the time to read the article and provide feedback.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/infocus/1862/509#509