• cabling news
  Newsletter Industry News Our Site News
• help
  Home Cabling Guide Cabling FAQ Free Helpdesk Forums Learn Cabling
• resources
  Color Codes Pin Layouts Links E-books Bookstore Online Tools Downloads
• this site
  Home Page Contact us Advertise Here Link to us
• this page
  Bookmark It! Print
• +

Voice-Over-IP How Secure is SIP?

Bookmark this page:   Yahoo!   Google   Windows Live   del.icio.us   digg   Netscape

Subject Author Date How Secure is SIP? Jimbo 06-14-06  Re: How Secure is SIP? Enzo Michelange... 06-14-06  Re: How Secure is SIP? Kyler Laird 06-15-06  Re: How Secure is SIP? Tor-Einar Jarnb... 06-15-06

Posted by Jimbo on June 14, 2006, 10:54 am Please log in for more thread options Hello New to VOIP but can anyone tell me how secure is SIP especially if using it from a public hotspot or in a hotel. VOIP providers claim it is more secure than an standard phone line as the packets have no meaningful identifying information in them and as they are routed through many channels it would very hard to capture information although, if you're using a SIP phone in a public area like a hotspot or hotel surly your phone call could be intercepted? You thoughts are appreciated. Many thanks Jim

Posted by Enzo Michelangeli on June 14, 2006, 11:18 am Please log in for more thread options > Hello > > New to VOIP but can anyone tell me how secure is SIP especially > if using it from a public hotspot or in a hotel. As it's used today, not at all. There are protocols for securing bot signalling (Secure SIP, i.e. SIP-over-TLS) and media flows (SRTP) but they are only rarely used. > VOIP providers claim it is more secure than an standard phone line as > the packets have no meaningful identifying information in them and as > they are routed through many channels it would very hard to capture > information Sounds like standard sales pitch to me :-) Have a look at these proofs of concept: http://vomit.xtdnet.nl/ http://www.oxid.it/cain.html > although, if you're using a SIP phone in a public area like > a hotspot or hotel surly your phone call could be intercepted? Yes, unless you use countermeasures, which however require concerted action by both endpoints. As long as you do peer-to-peer VoIP that's quite possible (see e.g. http://www.philzimmermann.com/EN/zfone/ for SIP-based softphones, or http://www.amicima.com/ for a non-standard but easy-to-use and - unlike Skype - opensource and therefore verifiable solution); but if you require PSTN termination, or simply provider-based service, you won't find any provider willing to secure your communications, also because U.S. CALEA regulations (http://www.eff.org/Privacy/Surveillance/CALEA/ ) force public services to be easy to eavesdrop by three-letter agencies... Enzo

Posted by Kyler Laird on June 15, 2006, 9:06 am Please log in for more thread options >but if you require >PSTN termination, or simply provider-based service, you won't find any >provider willing to secure your communications, The only thing preventing this is processor power - at least to encrypt across the 'net and up to the PSTN, right? I'm waiting for my PSTN provider to clear some colo space and then I plan to offer encrypted VoIP. It'll be on a small scale for some special customers but it seems reasonable to expect that larger providers could do it. I'm surprised I haven't already found someone doing this. --kyler

Posted by Tor-Einar Jarnbjo on June 15, 2006, 8:33 am Please log in for more thread options Jimbo wrote: > New to VOIP but can anyone tell me how secure is SIP especially if > using it from a public hotspot or in a hotel. Depends on your understanding of "secure". Except for the password used when you register to the SIP server, all other traffic is usually not encrypted and can easily be sniffed and evaluated. The password hashing mechanisms are not too fancy either, so with a short password, a brute force attack could be successful within reasonable time. This is of course ciritical if the provider generates a fixed length password, which can not be modified by the customer. One German provider is e.g. using assigned, fixed length 6 character passwords. With a simple, non-optimized Java program, I would be able to scan the entire password space in about 50 days with my two year old desktop computer. If you use a couple of current high-end computers and an optimized tool and you're down to days for finding the cleartext password for a sniffed registration attempt. Tor

Similar Threads	Posted
How Secure is SIP?	June 14, 2006, 10:54 am
Secure network and VoIP	October 24, 2008, 12:09 am
Fix Cisco Routers vulnerabilities with Secure Auditor	April 22, 2008, 6:16 am
GroupWorld.net: cross-platform, secure web conferencing/meeting	July 8, 2005, 5:17 pm
How to secure access to PSTN line through Linksys gateway?	November 20, 2006, 6:51 pm
technology you can use....TELEPHONE VOIP TWO line AUTOMATIC secure switch	September 7, 2004, 3:41 am

Contact Us | Privacy Policy