As a corollary to the problem of unlimited applications, combining voice and data on a single network creates a new opportunity for blended threats. That is, attackers can infiltrate voice through applications that previously weren't connected to voice, and the other way around. They can use voice to get to the applications. A simple example is using a corporate presentation being shared over a VoIP system as an attack vector.

If all of this seems like doomsaying, consider that most of the above threats have already emerged in the real world, despite the fact that VoIP and voice over Internet are technological infants. One vendor documented four cases of VoIP phishing in which caller ID identifies the call as from your bank and the recorded message asks you to punch in account information, which is logged. (That vendor also sells anti-phishing software, so take its "research" with a grain of salt.) Vonage, a VoIP vendor, provided a notorious early proof of concept of VoIP spam when it planted in its customers' voice mails a pre-recorded advertisement for its upcoming IPO.

But the most notorious case of VoIP's fallibility yet to come to light involved spoofing. A Florida man named Edwin Pena allegedly paid a hacker in Washington state $20,000 to exploit router vulnerabilities so he could spoof VoIP providers. Federal prosecutors allege Pena stole minutes of service - 10 million in total - and resold them at cut rates for pure profit, which turned out to be hundreds of thousands of dollars.

The type of attack used in the scheme was a "brute force" scan for router vulnerabilities, a simple old hack in the data world that's not capable of affecting the PSTN. Is that because the PSTN is technically more secure? Not necessarily. "PSTN switches are all based on the same system as IP routers and switches," Graydon says. "All that's happened is we ourselves have more access to the routers and switches in the IP world."

But Is It Soup Yet?

You'd be forgiven for thinking: "Here we go again." The tech industry, notorious for rushing to market with "revolutionary" products only to have their lack of security and stability embarrassingly exploited, looks like it has just another case of putting the revenue cart before the security horse. (And then selling more products to secure the original product, at an additional cost: Already vendors are marketing anti-SPIT software, VoIP firewalls, and VoIP monitoring and management software. These costs will eat into any savings the VoIP offers over traditional phone service and add a layer of complexity.) "It's extremely frustrating," Graydon says. "You sit there and go: 'Guys, you're doing it again. Did you not learn the last time?'"

Only this time, the stakes are higher. If, say, instant messaging was rushed to satisfy market demand without being properly secured or having its threats understood, that wasn't good. But what were the expectations and assumptions about chat's security in the first place? Probably limited. With voice, there are those culturally ingrained expectations. We even have a name for it: Dial-tone reliability. Voice can't fail, we've come to expect that, and yet here's a technology rushing to market that, so far, can't meet the expectation.

In a sense, vendors offering VoIP service are pushing a cake-and-eat-it-too agenda. They want voice to have the power of data with the security of POTS, even if such a platform doesn't yet exist. So they're left selling voice as another data type but also acknowledging that voice is special. "I say voice is not data," says Lawrence Dobranski, the leader of product security architecture in the office of the CTO at Nortel. "From a risk management perspective it has to be thought of differently. We're sharing voice on data infrastructure, and that means the threat landscape is opened." That's a core point of this story. "People bring an awful lot of expectations with voice. We have to make sure we get the security of VoIP right, and that won't be easy; that will be difficult."

Gus de los Reyes, a technology consultant for AT&T Labs developing security capabilities for VoIP services, is more sanguine. De los Reyes says he and the other AT&T Labs technology experts can prevent his company's VoIP products from going to market if he feels a security control isn't ready, and he says he's done that. He has the power to control the rush to market, so he doesn't even see a rush to market. "There's a much greater awareness with VoIP than there was with things like e-mail. Maybe too much awareness. People don't want to make the same mistakes with VoIP."