Internet telephony, or Voice over IP (define), is picking up steam, as telcos get wise to the benefits of turning speech into packets to be delivered via the Internet. But some experts say that security efforts are lagging.

Denial of Service (DoS) attacks against VoIP networks are a real possibility, according to Frost & Sullivan analyst Jon Arnold -- and there's even a distant risk of spam over Internet telephony, or SPIT.

"The proliferation of Voice over IP is so small right now, it's not the kind of magnet for attacks that e-mail is," Arnold said.

Frost & Sullivan forecasts a 15 percent penetration of VoIP in North America by 2008. That figure is for landlines only; wireless could have a major impact in the numbers, according to Arnold. But VoIP security threats are real.

"Spam is a small piece of the much bigger issue of voice security in the IP world," Arnold said. "It's come on the scene quietly, and the security industry hasn't kept pace."

VoIP providers are already on the lookout for DoS exploits.

"DOS ... can happen to VoIP providers unless they place security mechanisms in place," said Louis Holder, executive vice president of product development for VoIP provider Vonage.

VoIP systems require every customer to have a terminal adapter at their locations.

"Each customer then becomes a node that could help do a Denial of Service attack on a network," said Brian Fowler, CTO of Voiceglo, a VoIP service provider that monitors its network for nonconforming packets, which are filtered and extracted. "They can be turned against other networks."

Still, Fowler is aware of the pervasiveness of SPIT. "We worry about it all the time," he said. "We've been lucky at this point."

Arnold said that VoIP hackers could do plenty of evil besides just disrupting networks. "You can find some holes and drain financial resources out of companies," he said. "You can start charging phone calls to them and buying stuff over the phone. That's the really scary stuff."

What worries Arnold most is Microsoft's adoption of Session Initiation Protocol (SIP), a signaling protocol for Web conferencing, telephony, presence, events notification and instant messaging.

"Once you're in a SIP environment," he said, "you become vulnerable to the vulnerabilities of the public Internet. And if you're a hacker, what market are you going for?"

In January 2003, CERT warned SIP was vulnerable to remote code execution and other cracks, while the U.K. National Infrastructure Security Co-Ordination Centre advised early this year that the H.323 networking protocol for transmitting audio-visual data supported by many VoIP networks put them at risk for DoS and buffer overflow attacks.

The viability of SPIT is less clear.

"That is not possible to do with Vonage's voicemail system" Holder said. "In order to get a voice message into our system, you have to stream real-time voice into it."

In other words, if a spammer wanted to send someone a one minute long voice message, he would have to stream that message to the voicemail system for a whole minute; he couldn't just e-mail the message as a file into the system.

Even though the information is carried as data in Vonage's system, Holder said, it starts and ends as voice. "Phones have IP addresses," he said, "but the voice conversation still needs to be played in real time. And it's converted back to voice in real time."

But Qovia, a company that sells enterprise tools for VoIP monitoring and management, recently applied for a patent on technology to broadcast messages via VoIP -- and another one for a method of blocking such broadcasts. The broadcast methodology only works on a pure VoIP network, while most of today's services are hybrids of IP and traditional telephone lines.

"SPIT becomes an issue when you don't have to go out over the traditional telephony lines," said Qovia CEO Richard Tworek. "As soon as my VoIP system touches the Internet cloud, that's when it starts to become interesting. We predict it's going to happen, much as spam e-mail did. Were trying to get ahead of the game."

The company realized pretty quickly that where there's a channel, there's a pitchman, said Pierce Reid, Qovia vice president of marketing. "Someone is going to use [VoIP] for spam." Since every other medium has been the conduit of unwanted marketing messages, from bulk faxes to telemarketing to IM spam, he said, Qovia engineers began to research whether it was possible to broadcast voicemail. It was easy.

Qovia insists it would never allow the technology to be used for marketing, let alone spam.

"There are positive uses of the broadcast capability," said Tworek. "And none of us would agree that unsolicited marketing is a positive use; that's not in our future."

However, he sees the broadcast capability being useful for public agencies, such as Homeland Security, that might need to reach people with vital messages.

Qovia will incorporate its SPIT-blocking technology in future releases of its security products, while enforcement of its patent on broadcasting, if granted, could be used to shut down VoIP spammers.