Hello. Do you know the story of how the electromechanical phone switch was invented?

The inventor, Strowger, laid the foundations for the automatic switchboard because he believed corrupt phone operators were diverting people who tried to call his business over to his competitors.

There's an economic motive to interfere with phone switching. It's just rumor, but persistent rumor, that someone has taken over telco switches in Vegas and rerouted some escort service phone numbers.

The other way for a crook to make money would be to send VOIP calls to the overseas equivalent of 900 numbers. Then there's extortion: "we'll shut down your order taking call center unless you send $40,000 by Western Union to Belarus".

You're right that there's no point in eavesdropping on random people, but what about targeted attacks? Could papparazzi get a few bucks from tabloids by selling Paris Hilton's phone calls?

I haven't built a complete threat model (nobody's hired me to) but those are a few things that come to mind easily.

There is no point in attacking the end-points in IP telephony, but having worked with a couple of the largest VOIP deployments in the world, I can say that the "switching infrastructure" (gatekeepers, SS7 equipment, etc) was a target, and was secured very heavily.

At this point, in fact, VOIP has a substantially higher level of security than SS7 does. SS7 has zero authentication functionality of any consequence, and therefore trust is nearly absolute. This is the more interesting place to attack a phone call, even if it traverses the VOIP world.

Unlike Fred, I *am* being paid to think about this stuff right now as part of the deployment of a global (6 continents, hundreds of facilities, many tens of thousands of phones) VOIP network. This is a private network, but the fundamental threats remain the same. It's the ease-of-mitigation that's different.

I agree that there simply aren't many signifcant threats and what network-level threats exist can be mitigated by existing best practices for building defensible networks. Nearly every risk we're addressing is just an existing network security risk that will now apply to the phone system. The scary stuff isn't even new FUD, it's just recycled network security FUD.

If I were Vonage or (especially) Skype, however, I might be a little worried. Skype uses a couple of currently-known authentication servers which are potential DOS targets. The client is designed to be able to shift authentication servers, however, and we don't know how many alternative servers they have on hot standby, but I'll guess it's at least one or two.

Perhaps the mafia are waiting until Skype(In|Out) gets sorted out (lots of card processing horror stories about that right now) or the suppliers are flowing positive cash, but given that people don't expect dialtone-grade reliability from Skype, I think that Skype & Vonage can safely, as Ian says, "Wait until they go away."