Security experts say a high-profile VOIP hack is setting operators into action to protect against future problems. (See Two Charged in VOIP Hacking Scandal.)

Early last month federal authorities arrested Edwin Pena and Robert Moore for allegedly participating in a scheme that exploited the network weaknesses of several VOIP providers.

The feds accused the duo of secretly routing calls through legitimate VOIP networks, forcing those companies to foot the bill for the extra traffic they were carrying. On the flipside, Pena allegedly collected some $1 million in connection fees from other phone companies that he sold minutes to. (See VOIP Hacker Blues.)

Companies familiar with the Pena/Moore debacle worry that others will try, using relatively unsophisticated means, to exploit or take down their networks.

BusinessEdge security expert Yaron Raps says the Pena/Moore attack resulted in two large Tier 1 telcos calling on his company to do full security audits of their VOIP networks. Raps is the former head of technology and engineering at deltathree Inc. (Nasdaq: DDDC).

Raps believes the security issue is changing the way big telcos view the role of VOIP in their businesses. “Before this, VOIP was just a software infrastructure that corporations introduced to reduce operational expenses and increase speed to market -- and it was not about security," Raps says. "The big telcos are realizing that VOIP is not a cheap replacement to the PSTN.” (See VOIP Gear Approaches Peak.)

IP-security expert Mike Hrabik of Omaha-based Solutionary says his company is also receiving more calls on VOIP security issues. Hrabik says the new interest in security is a normal part of the evolution of new technologies. “We see this in every new or evolving technology. It sort of goes through these phases,” Hrabik says. "They’re going to have to concentrate on this -- the security of the protocol itself, the security of the infrastructure -- and move it up in their priorities."

VOIP providers tag their own calls with a unique identifier or "prefix" so they can be admitted to the network. Pena, with Moore's help, allegedly bombarded the VOIP providers' networks with test calls -- each carrying a different prefix -- until they found one that was admitted to the network. The two then allegedly tagged all the fraudulent calls with that prefix.

Erecting a reliable wall of defense against these tactics is no easy, or cheap, proposition, the experts say.

Hrabik explains that large VOIP networks deal millions of calls each day, so it's sometimes hard to tell the fraudulent traffic from the legitimate traffic. “So you turn on your native logging to see who has logged into the router, in some cases the transaction volume is so large that finding the few the are from the attackers is the difficult part."

Operators will also be challenged, Hrabik notes, to maintain security even as hackers invent new attacks. "You may address one type of attack avenue, but what are some of the other ones somebody else might be able to find to exploit me in a different way or from a different angle?"

He adds: "We always find that to be the problem: Once the problem is controlled, and the press dies down, can you keep the intensity to find all those avenues and start to plug those holes?"

Net2Phone Inc. (Nasdaq: NTOP) was one of as many as 15 networks victimized by Pena and Moore, and the only carrier actually listed in the legal complaint. Net2Phone did not respond to numerous requests for comment on the article.

According to Rap at BusinessEdge, three basic components must be in place to achieve real-time security. “You have to have a very strong authentication at the edge, you have to have very strong fraud detection at the core, and then you have to have very strong prevention and detection in your network.”

He says the RBOCs may have an easier time absorbing these security costs than their unaffiliated or “pure play” competitors like SunRocket Inc. and Vonage Holdings Corp. (NYSE: VG).

Many VOIP providers use session border controllers to protect the edges of their networks. In fact, security functionality has become one of the main selling points of the devices.

"The messages were spoofed both at the IP-layer and signaling layer," writes Acme Packet (Nasdaq: APKT) product manager Hadriel Kaplan of Pena's and Moore's technique in an email to Light Reading Friday. "That is a non-trivial thing to do, and represents a serious sophistication and commitment on the part of the criminal."

— Mark Sullivan, Reporter, Light Reading