There are many threats to a VoIP system and the list is only going to get bigger. Here’s a list of threats that will be most common in 2008 according to Sachin Joglekar, vulnerability research lead at Sipera Labs.

Remove Eavesdropping:
This is most common on VoIP systems that do not take into account security such as encryption. On a traditional phone system, someone will have to physically tap into a phone line to eavesdrop, on a VoIP system this is much easier if calls are not encrypted as all you need is a data feed. This data feed could be tapped into without physically connecting a hard wire to the network cable.

VoIP Hopping:
VoIP hopping can allow remote eavesdropping. VoIP hopping can allow a PC to mimic a phone and giving hackers a doorway to eavesdrop.

Vishing:
Similar to Phishing, Vishing allows scammers to change call parameters like caller id and present a fraudulent identity. A typical spam might lead people to believe they are talking to a rep from their bank and may reveal confidential information.

VoIP Spam:
Similar to email spam this represent not only junk phone calls but also more wasted time for people as they have to stop what they are doing to take the call and can fill up voicemail boxes.

Toll Fraud:
Toll fraud has recently been talked about a lot. A typical scenario of toll fraud is a case where hackers broke into a VoIP networks and “sold” long distance minutes to millions of unsuspecting people. Make sure encryption and analysis systems are in place in your VoIP deployment.

Skype Worm:
The popularity of Skype will prompt more and more worms being released that replicate through the network. One such worm was the W32.Ramex.A virus that replicated through instant messaging.

VoIP over WiFi:
VoIP by itself is insecure, if you decide to put it over WiFi make sure your WiFi network is secure or you will leave a huge surface area for an attack.

Weak Default Settings:
As with any system, you should not leave it at the defaults. Always change settings and shut down services you will not be using. A simple thing, but I’ve seen even default passwords on production systems.