VoIP gear from major vendors can be made secure, but it doesn’t come out of the box that way, experts warned at RSA Conference 2007.

Default settings are the enemy that needs to be dealt with before turning up a VoIP system, according to David Endler, director of security research for TippingPoint, and Mark Collier, CTO of SecureLogix who presented their research on VoIP security at the conference. Both are members of the VoIP Security Alliance, an industry group trying to promote better VoIP security.

Leaving IP phone settings at default can lead to trouble because many phones have Web servers included that can let hackers see valuable information. If these servers have access to the Internet, then Google indexes them. Hackers then direct their browsers at the VoIP devices and probe for data including the address of the VoIP server it is associated with, according to Endler.

Some of these servers have packet-capture as a feature so a compromised phone could bug itself. “That would let you download conversations off the device,” says Endler.

Vendors’ default voicemail answering messages are unique, so calling the system and listening to the message can tell hackers what brand IP phone system is being used and they can tailor their reconnaissance and attacks accordingly. Phones with default passwords pose even more of a threat, he says.

The remedy is to disable the Web servers on phones, change passwords and record new voicemail greetings,