How Secure is SIP?

How Secure is SIP?
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.voice-over-ip  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
How Secure is SIP? Jimbo 06-14-2006
---> Re: How Secure is SIP? Enzo Michelange ..06-14-2006
`--> Re: How Secure is SIP? Tor-Einar Jarnb ..06-15-2006
Posted by Jimbo on June 14, 2006, 10:54 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello

New to VOIP but can anyone tell me how secure is SIP especially if
using it from a public hotspot or in a hotel.

VOIP providers claim it is more secure than an standard phone line as
the packets have no meaningful identifying information in them and as
they are routed through many channels it would very hard to capture
information although, if you're using a SIP phone in a public area like
a hotspot or hotel surly your phone call could be intercepted?

You thoughts are appreciated.

Many thanks

Jim


NMFall 20%
Posted by Enzo Michelangeli on June 14, 2006, 11:18 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> Hello
>
> New to VOIP but can anyone tell me how secure is SIP especially
> if using it from a public hotspot or in a hotel.

As it's used today, not at all. There are protocols for securing bot
signalling (Secure SIP, i.e. SIP-over-TLS) and media flows (SRTP) but they
are only rarely used.

> VOIP providers claim it is more secure than an standard phone line as
> the packets have no meaningful identifying information in them and as
> they are routed through many channels it would very hard to capture
> information

Sounds like standard sales pitch to me :-) Have a look at these proofs of
concept:

http://vomit.xtdnet.nl/
http://www.oxid.it/cain.html

> although, if you're using a SIP phone in a public area like
> a hotspot or hotel surly your phone call could be intercepted?

Yes, unless you use countermeasures, which however require concerted action
by both endpoints. As long as you do peer-to-peer VoIP that's quite possible
(see e.g. http://www.philzimmermann.com/EN/zfone/ for SIP-based softphones,
or http://www.amicima.com/ for a non-standard but easy-to-use and - unlike
Skype - opensource and therefore verifiable solution); but if you require
PSTN termination, or simply provider-based service, you won't find any
provider willing to secure your communications, also because U.S. CALEA
regulations (http://www.eff.org/Privacy/Surveillance/CALEA/ ) force public
services to be easy to eavesdrop by three-letter agencies...

Enzo


Posted by Kyler Laird on June 15, 2006, 9:06 am
If you were  Registered and logged in, you could reply and use other advanced thread options

>but if you require
>PSTN termination, or simply provider-based service, you won't find any
>provider willing to secure your communications,

The only thing preventing this is processor power - at least to encrypt
across the 'net and up to the PSTN, right? I'm waiting for my PSTN
provider to clear some colo space and then I plan to offer encrypted
VoIP. It'll be on a small scale for some special customers but it seems
reasonable to expect that larger providers could do it.

I'm surprised I haven't already found someone doing this.

--kyler

Posted by Tor-Einar Jarnbjo on June 15, 2006, 8:33 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Jimbo wrote:

> New to VOIP but can anyone tell me how secure is SIP especially if
> using it from a public hotspot or in a hotel.

Depends on your understanding of "secure". Except for the password used
when you register to the SIP server, all other traffic is usually not
encrypted and can easily be sniffed and evaluated. The password hashing
mechanisms are not too fancy either, so with a short password, a brute
force attack could be successful within reasonable time. This is of
course ciritical if the provider generates a fixed length password,
which can not be modified by the customer. One German provider is e.g.
using assigned, fixed length 6 character passwords. With a simple,
non-optimized Java program, I would be able to scan the entire password
space in about 50 days with my two year old desktop computer. If you use
a couple of current high-end computers and an optimized tool and you're
down to days for finding the cleartext password for a sniffed
registration attempt.

Tor

Similar ThreadsPosted
Secure network and VoIP October 24, 2008, 12:09 am
Fix Cisco Routers vulnerabilities with Secure Auditor April 22, 2008, 6:16 am
GroupWorld.net: cross-platform, secure web conferencing/meeting July 8, 2005, 2:17 pm
How to secure access to PSTN line through Linksys gateway? November 20, 2006, 6:51 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map