Created 1/13/15. Last edited 6/23/16.
There are four main areas concerning VoIP security: 1) Conversation re-constructions, 2) User impersonation, 3) Denial of Service, 4) Call Intelligence.
The state of security in VoIP is currently low, but as new security options arrive, we continually evaluate them for their cost/effectiveness. The rules of security are the same for VoIP as they are for any Internet application: secure your network, use secure passwords and keep those passwords secure. The only way to 100% guarantee a secure connection is to use a device that encrypts the call at both end-points. We mention one such solution at the end of this article.
The easiest place to attack a VoIP phone call is from inside the LAN. An 'inside' attacker places a packet sniffer or hub on the LAN and gathers all the packets. A VPN is not going to stop this type of attack. Only end-to-end encryption will thwart this attack. To prevent this attack maintain the physical security of your network including any WIFI points of access. An attack by a third party would require significantly more sophistication. For an unmotivated attacker, the reward is not worth effort to place the attack in the first place.
Impersonating a user for e-mail, chat or VoIP is as easy as stealing the username/password. That's why, for us, we use highly secure passwords that we control so that we can guarantee the robustness of the password. Once you have the robust password, it is imperative that the password is kept private.
Denial of Service
Denial of service is the same. Denial of service, too, can happen to any Internet based service, e.g. e-mail, chat, WWW, VoIP. If a router is attacked with DDOS, there is very little it can do. DDOS has taken down the likes of even Google.
Call intelligence is the mere fact that a call has been placed. Intercepting the call setup packets would give an attacker at least the knowledge that a call was placed. They would have to be in the right place at the right time, but a motivated attacker would, at least, be able to gather this low-level information.
A VPN is not going to protect against most of these threats. An unmotivated attacker is not going to even attempt to intercept calls as the cost/reward ratio is too low and a motivated attacker is not going to let a little thing like a VPN stand in their way.
A service like, My Kryptofon is a good defense. It encrypts the call end-to-end. Even if a call is intercepted, the packets are encrypted. This is one example of a 100% secure VoIP environment. This would encrypt calls from a My Kryptofon user to another My Kryptofon user, but calls to and from the Public Switched Telephone Network (the PSTN) would be subject to the vulnerabilities listed above.
Another option would be the OnSIP app, accessible on the web at app.onsip.com or via a desktop application. The app gives you a fully encrypted call end-to-end, but has the added bonus of even encrypting calls to the PSTN. Calls to and from the PSTN are encrypted while they traverse the Internet.