How Secure is SIP?


New to VOIP but can anyone tell me how secure is SIP especially if using it from a public hotspot or in a hotel.

VOIP providers claim it is more secure than an standard phone line as the packets have no meaningful identifying information in them and as they are routed through many channels it would very hard to capture information although, if you're using a SIP phone in a public area like a hotspot or hotel surly your phone call could be intercepted?

You thoughts are appreciated.

Many thanks


Reply to
Loading thread data ...

As it's used today, not at all. There are protocols for securing bot signalling (Secure SIP, i.e. SIP-over-TLS) and media flows (SRTP) but they are only rarely used.

Sounds like standard sales pitch to me :-) Have a look at these proofs of concept:

formatting link

Yes, unless you use countermeasures, which however require concerted action by both endpoints. As long as you do peer-to-peer VoIP that's quite possible (see e.g.

formatting link
for SIP-based softphones, or
formatting link
for a non-standard but easy-to-use and - unlike Skype - opensource and therefore verifiable solution); but if you require PSTN termination, or simply provider-based service, you won't find any provider willing to secure your communications, also because U.S. CALEA regulations
formatting link
) force public services to be easy to eavesdrop by three-letter agencies...


Reply to
Enzo Michelangeli

Depends on your understanding of "secure". Except for the password used when you register to the SIP server, all other traffic is usually not encrypted and can easily be sniffed and evaluated. The password hashing mechanisms are not too fancy either, so with a short password, a brute force attack could be successful within reasonable time. This is of course ciritical if the provider generates a fixed length password, which can not be modified by the customer. One German provider is e.g. using assigned, fixed length 6 character passwords. With a simple, non-optimized Java program, I would be able to scan the entire password space in about 50 days with my two year old desktop computer. If you use a couple of current high-end computers and an optimized tool and you're down to days for finding the cleartext password for a sniffed registration attempt.


Reply to
Tor-Einar Jarnbjo

The only thing preventing this is processor power - at least to encrypt across the 'net and up to the PSTN, right? I'm waiting for my PSTN provider to clear some colo space and then I plan to offer encrypted VoIP. It'll be on a small scale for some special customers but it seems reasonable to expect that larger providers could do it.

I'm surprised I haven't already found someone doing this.


Reply to
Kyler Laird Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.