VoIP - wot no security?

Its seems like an eternity since I first heard about Internet telephony, and only slightly more recently Voice Over IP (VoIP). In the early days Internet telephony was achieved with homebrew software of little complexity. It wasn't long before people figured out that combining it with freely available encryption technology could yield a very secure phone replacement. However, although a flurry of commercial IP telphony products soon became available their call quality left a lot to be desired and they still had the disadvantage you usually could not call a regular phone from them.

Then along came the VoIP standard and we all held our breath and waited, and waited. Now finally, long after we expired from asyphixa, VoIP is actually making it into the mainstream thanks to another little technology called SIP. SIP is Session Initiation Protocol and solved the problem of connecting VoIP based phones to the public telephone network. Now you can actually buy VoIP service from AT&T, furthermore Vonage and Packet8 have been offering high quality service to consumers for some time now. Vonage can even transfer your land line to their service with no number change. Brilliant. But my question remains, where's the encryption?

I mean to ask, if my web surfing can have optional encryption (SSL), if my WiFi has optional encryption (WEP, WPA), and if one assumes people might actually have confidential or private conversations then why doesn't my VoIP phone have a nice big "Scramble" button on it, just like in the spy movies?

My guess is, that the assumption was that security would be handled in the network layer and it wasn't at all the business of VoIP to deal with. Granted if you only make VoIP calls within you company over its private network, or on its VPN, then that is the case, well assuming no one in your company is evesdropping. But what about all us poor consumers whose packets are destined to spill out into that big fuzzy and notoriously insecure cloud called "The Internet"?

My guess is also that the acceptance of VoIP phone service providers by the FCC and government would be a lot less friendly if it included encryption. All of a sudden your humble desk phone might actually be intercept proof and would be branded a WMD. Your VoIP phone would be banned just like the box cutter in the desk tidy beside it. If anything VoIP as it is probably makes tapping into the conversation of your average phone call as easy, if not easier than it ever was before, and all without a wire tap. Just think about all the vulnerabilities of your a home computer system - just one mistake in the WiFi, operating system, firewall or application security configuration (assuming they are not inherently insecure) and your entire system is jepordized and hence any data that ends or originates at it.

If you don't believe me just think about how simple, dumb viruses manage to wreck havoc time after time after time. And think if instead of just crashing your computer, erasing your hard drive, or sending dumb emails out on the net they instead quietly installed a keyboard monitor into your system. Then every single keystroke you typed was relayed to an external entity. Before long they'd have your email account password, bank password, social security number, all your personal information and your identity would be gone in an eyeblink. Furthermore they could pick up the password to your VoIP terminal and router and reprogram them. So when you pick up the VoIP phone to call the police and complain your identity has been stolen I wouldn't count on the call going to the right destination...

So please, wouldn't it be nice if security and privacy of VoIP was a higher concern for the masses before all our phones become just another casualty on the Internet Insecurity Highway.