Reading about the Asterisk vulnerability that was announced yesterday along with Edwin Pena's $1 million VoIP scam might give one the impression that today's corporate VoIP networks are at serious risk. Nothing could be further from the truth. The reality is the vast majority of corporate VoIP networks would be invulnerable to the types of threats and the scams played by Pena and Moore. Those attacks hinged on being able to terminate VoIP calls on a service provider's VoIP network. Yet most companies only receive, and place, calls through PSTN gateways. VoIP trunks are far and few between precisely because of the inability to identify and sandbox incoming callers.
The same holds true for the Asterisk vulnerability. While significant the attack didn't get me terribly worried about the security of corporate voice networks. Aside from the fact that Digium patched the vulnerability quickly, most companies will be protected from external hackers precisely because firewalls will prevent external calls.
What did alarm me though was the weaknesses in underlying data network security. Pena and Moore could pull off their nefarious deeds by passing calls through open ports on many corporate networks, enabling them to steal administrator names and passwords to the routers.
Here lies the real threat to today's corporate VoIP deployments. Until data networks are adequately secured and protected no amount of VoIP security will save companies from attack.