How secure is SIP ?

How secure is sip ?

I hear people banging Skype on security... just wondered if SIP was secure ?

Doz

"Doz" <> wrote in message
news:10yntt60h5fx3$.8jptkbef4lkw$.
> How secure is sip ?
>
> I hear people banging Skype on security... just wondered
> if SIP was secure ?

Nothing is *totally* secure, it depends on how much time, money and
expertise you have available to crack it..!

Although I'd hazard a guess that unless you're GCHQ or the CIA, it would
be proably be easier to bug the room in which the person is making the
call..!

Ivor

Doz wrote:

> How secure is sip ?

Not at all. The signalling is in plaintext and the audio streams are
unencrypted RTP, by default.

> I hear people banging Skype on security... just wondered if SIP was
> secure?

SIP is as secure as the network you are using it on!

--
<http://ale.cx/> (AIM:troffasky) ()
18:23:42 up 28 days, 23:45, 3 users, load average: 0.01, 0.06, 0.15
This is my BOOOOOOOOOOOOOOOOOOOOOMSTICK

Ivor Jones wrote:
> "Doz" <> wrote in message
> news:10yntt60h5fx3$.8jptkbef4lkw$.
>> How secure is sip ?
>>
>> I hear people banging Skype on security... just wondered
>> if SIP was secure ?
>
> Nothing is *totally* secure, it depends on how much time, money and
> expertise you have available to crack it..!
>
> Although I'd hazard a guess that unless you're GCHQ or the CIA, it would
> be proably be easier to bug the room in which the person is making the
> call..!

*If* (and it's a big if) you're in a position to watch the packets go
past on the internet (or on your local Ethernet on route to the
Internet) then you can use open-source software to record a nice .WAV
file! I think Ethereal does that now. That is, standard SIP just sends
all voice traffic in the clear.

If you watch the packets go past in Ethereal, you can see that there's
some attempt to protect the signalling traffic to try to guard against
call fraud, but it isn't immediately obvious how secure that is. That
is, I'm not sure whether I should be worried about the possibility of
call fraud.

In the absence of a robust security analysis, my gut feeling is that SIP
is probably good enough to use on ADSL, but should be avoided on
unencrypted wi-fi, cable internet (if the downlink is shared) and on any
other untrusted networks where packet interception is likely to occur.

- Martin.

On Wed, 23 Aug 2006 22:32:08 +0100, Martin <not-for->
wrote:

>*If* (and it's a big if) you're in a position to watch the packets go
>past on the internet (or on your local Ethernet on route to the
>Internet) then you can use open-source software to record a nice .WAV

Not _quite_ as simple as saving to a .wav file - unless you happen to
be using G711.

>file! I think Ethereal does that now. That is, standard SIP just sends
>all voice traffic in the clear.

It's not really that SIP is in the clear that causes the problem, it's
just initiating the session after all, it's that RTP is used to carry
the voice data. I expect that SRTP, which allows for encryption of the
RTP payload, will become more popular in time.

On Tue, 22 Aug 2006 17:24:58 GMT, alexd wrote:

> Doz wrote:
>
>> How secure is sip ?
>
> Not at all. The signalling is in plaintext and the audio streams are
> unencrypted RTP, by default.
>
>> I hear people banging Skype on security... just wondered if SIP was
>> secure?
>
> SIP is as secure as the network you are using it on!

Thanks for the sensible and straight fwd reponses.. ta.