Google appears to have fixed a significant security hole in its two-week-old Voice calling service though some vulnerabilities remain.
Until about 7pm PDT Tuesday, an unauthorized party could use a SIP device to spoof a phone number attached to a Google Voice account to call the Google Voice number. This would give the spoofer access to greetings and voicemail, and the ability to make outbound calls, including expensive international calls.
Though SIP access to a Google Voice account is no longer possible in such a manner, continued existence of some vulnerability was still apparent Tuesday night. Voxilla was able to set the caller ID of a PBX extension to a mobile number attached to Google Voice account and call in, using a business VoIP trunk, to gain access.
Because many VoIP service providers permit users to set their own caller ID and ANI, it remains possible to “spoof” a number attached to a particular Google Voice account, unless the Google Voice account holder changes the default account setting to require entry of a PIN in order to gain access to the account.
Voxilla confirmed the larger SIP vulnerability earlier in the day Tuesday using a Linksys SPA942, an inexpensive IP phone. With its proxy set to the Google Voice IP and the Display Name set to a mobile number attached to a Google Voice account, dialing the Google Voice number permitted access to the account.
A recent post in the Google Voice support forum mentioned this vulnerability, though it is not clear whether that prompted Google to move to close the SIP flaw.
Voxilla has contacted Google officials to make them aware of the remaining security vulnerability and to ask for comment. We will post updates when we hear back from them.