How Secure is SIP?

Discussion in 'VOIP' started by Jimbo, Jun 14, 2006.

  1. Jimbo

    Jimbo Guest

    Hello

    New to VOIP but can anyone tell me how secure is SIP especially if
    using it from a public hotspot or in a hotel.

    VOIP providers claim it is more secure than an standard phone line as
    the packets have no meaningful identifying information in them and as
    they are routed through many channels it would very hard to capture
    information although, if you're using a SIP phone in a public area like
    a hotspot or hotel surly your phone call could be intercepted?

    You thoughts are appreciated.

    Many thanks

    Jim
     
    Jimbo, Jun 14, 2006
    #1
    1. Advertising

  2. "Jimbo" <> wrote in message
    news:...
    > Hello
    >
    > New to VOIP but can anyone tell me how secure is SIP especially
    > if using it from a public hotspot or in a hotel.


    As it's used today, not at all. There are protocols for securing bot
    signalling (Secure SIP, i.e. SIP-over-TLS) and media flows (SRTP) but they
    are only rarely used.

    > VOIP providers claim it is more secure than an standard phone line as
    > the packets have no meaningful identifying information in them and as
    > they are routed through many channels it would very hard to capture
    > information


    Sounds like standard sales pitch to me :) Have a look at these proofs of
    concept:

    http://vomit.xtdnet.nl/
    http://www.oxid.it/cain.html

    > although, if you're using a SIP phone in a public area like
    > a hotspot or hotel surly your phone call could be intercepted?


    Yes, unless you use countermeasures, which however require concerted action
    by both endpoints. As long as you do peer-to-peer VoIP that's quite possible
    (see e.g. http://www.philzimmermann.com/EN/zfone/ for SIP-based softphones,
    or http://www.amicima.com/ for a non-standard but easy-to-use and - unlike
    Skype - opensource and therefore verifiable solution); but if you require
    PSTN termination, or simply provider-based service, you won't find any
    provider willing to secure your communications, also because U.S. CALEA
    regulations (http://www.eff.org/Privacy/Surveillance/CALEA/ ) force public
    services to be easy to eavesdrop by three-letter agencies...

    Enzo
     
    Enzo Michelangeli, Jun 14, 2006
    #2
    1. Advertising

  3. Jimbo wrote:

    > New to VOIP but can anyone tell me how secure is SIP especially if
    > using it from a public hotspot or in a hotel.


    Depends on your understanding of "secure". Except for the password used
    when you register to the SIP server, all other traffic is usually not
    encrypted and can easily be sniffed and evaluated. The password hashing
    mechanisms are not too fancy either, so with a short password, a brute
    force attack could be successful within reasonable time. This is of
    course ciritical if the provider generates a fixed length password,
    which can not be modified by the customer. One German provider is e.g.
    using assigned, fixed length 6 character passwords. With a simple,
    non-optimized Java program, I would be able to scan the entire password
    space in about 50 days with my two year old desktop computer. If you use
    a couple of current high-end computers and an optimized tool and you're
    down to days for finding the cleartext password for a sniffed
    registration attempt.

    Tor
     
    Tor-Einar Jarnbjo, Jun 15, 2006
    #3
  4. Jimbo

    Kyler Laird Guest

    "Enzo Michelangeli" <-ip.com> writes:

    >but if you require
    >PSTN termination, or simply provider-based service, you won't find any
    >provider willing to secure your communications,


    The only thing preventing this is processor power - at least to encrypt
    across the 'net and up to the PSTN, right? I'm waiting for my PSTN
    provider to clear some colo space and then I plan to offer encrypted
    VoIP. It'll be on a small scale for some special customers but it seems
    reasonable to expect that larger providers could do it.

    I'm surprised I haven't already found someone doing this.

    --kyler
     
    Kyler Laird, Jun 15, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. KerplunKuK

    Secure and non secure warnings

    KerplunKuK, Aug 24, 2004, in forum: Computer Support
    Replies:
    8
    Views:
    557
    Blinky the Shark
    Aug 24, 2004
  2. Miss Mary
    Replies:
    1
    Views:
    1,462
    sean.archer
    Sep 21, 2007
  3. Replies:
    0
    Views:
    603
  4. Replies:
    0
    Views:
    704
  5. cade

    Secure Auditor secure your windows

    cade, Apr 28, 2008, in forum: Computer Security
    Replies:
    0
    Views:
    506
Loading...

Share This Page