FOR - David Endler, chairman, VoIP Security Alliance
VoIP networks are affected by the same security vulnerabilities that traditional data networks are plagued with today.
One of the biggest challenges is simply keeping the infrastructure completely patched. The trend of shrinking vulnerability-to-exploit timelines further exacerbates the problem.
VoIP devices such as phones, call processors, gateways and proxy servers inherit the same vulnerabilities of the OS or firmware they run. Many call processors are typically installed on Windows or Linux. There are hundreds of remotely exploitable vulnerabilities in flavors of Windows and Linux for which there are "point-and-shoot" exploit tools freely available.
There are doubtless also an abundance of vulnerabilities yet to be discovered in vendors' implementations of VoIP protocols such as SIP and RTP.
Granted, attacks directed specifically against VoIP deployments have been largely unheard of due to VoIP's early adoption. But history shows us that once the use of a killer app such as VoIP increases, so will its allure to hackers.
AGAINST - Teney Takahashi, market analyst, Radicati Group
All IP-based communication systems have vulnerabilities. Unauthorized parties can hack into an unprotected system and capture IP voice data, or even launch a DoS attack.
However, while VoIP systems are theoretically vulnerable, we have seen few real-world exploitations of these weaknesses. Today, hackers and virus writers play a numbers game that is almost always motivated by profit.
There are simply not enough VoIP systems deployed worldwide to make the development of VoIP-targeting malware profitable, especially when compared to the many vulnerable Windows-based systems still active today.
While we don't expect VoIP systems to remain sheltered from attack, most corporations face a range of more urgent security weaknesses. Email and IM networks are highly susceptible to viruses, worms and spam, online databases and e-commerce sites are frequently attacked by hackers, and spyware is proliferating. Even lost backup tapes present more of a clear and present danger to enterprises than the potential for VoIP-based attacks.