Session Initiation Protocol (SIP) is a must for voice over IP (VoIP) communication. But by itself, SIP is insecure and easily hacked. Here’s what you need to know to protect your calls and your network.
Even many IT professionals haven’t heard of the Session Initiation Protocol (SIP), so it’s almost certain your users haven’t. However, unless you’re using an entirely proprietary Voice-over-IP (VoIP) system, then SIP is part of your life. That’s because SIP is the protocol that makes and completes telephone calls in most versions of VoIP, whether those calls are being placed on your office phone system, your smartphone, or on app like Apple Facetime or Facebook Messenger.
When you make a call, it’s SIP that contacts the receiving device, agrees on the nature of the call, and makes the connection. After that, another protocol (there are several) carries the content of the call. When the call is over and the parties disconnect, SIP is again the protocol that terminates the call. This may not sound like much of a security issue, but in fact, it is.
That’s because SIP wasn’t originally designed to be secure, which means it’s easily hacked. What even most IT professionals don’t know is that SIP is a text-based protocol that closely resembles HyperText Markup Language (HTML), with addressing that resembles what you’ll encounter in a typical email’s Simple Mail Transfer Protocol (SMTP). The header includes information about the caller’s device, the nature of the call that the caller is requesting, and other details necessary to make the call work. The receiving device (which can be a cell phone or a VoIP phone, or perhaps a Private Branch Exchange or PBX), examines the request, and decides whether it can accommodate it or whether it can only work with a subset.
The receiving device then sends a code to the sender to indicate that the call is either accepted or that it’s not. Some codes may indicate that the call can’t be completed, much like the annoying 404 error you see when a webpage is not at the address you requested. Unless an encrypted connection is requested, all of this takes place as plain text that may travel across the open internet or your office network. There are even tools readily available that will let you listen in on unencrypted phone calls that use Wi-Fi.
Statista chart depicting US business and residential VoIP phone lines
Protecting a SIP Call
Using such an address will let a SIP connection set up a phone call but it won’t be encrypted. To create an encrypted call, your device needs to add SIPS instead of SIP at the start of the address. The “SIPS” indicates an encrypted connection to the next device using Transport Layer Security (TLS).
The problem with even the secure version of SIP is that the encrypted tunnel exists between devices as they route the call from the beginning to the end of the call but not necessarily while the call is passing through the device. This has proven to be a boon to law enforcement agencies and intelligence services everywhere because it makes it possible to tap VoIP phone calls that might otherwise be encrypted.
It’s worth noting that it’s possible to separately encrypt the contents of a SIP call so that, even if the call is intercepted, the contents can’t be easily understood. An easy way to do this is to simply run a secure SIP call through a virtual private network (VPN). However, you’ll need to test this for business purposes to ensure your VPN provider is giving you enough bandwidth in the tunnel to avoid call degradation. Unfortunately, the SIP information itself can’t be encrypted, which means that the SIP information can be used to gain access to the VoIP server or the phone system by hijacking or spoofing a SIP call, but this would require a rather sophisticated and targeted attack.
Business desk telephone picture
Setting Up A Virtual LAN
Of course, if the VoIP call in question is something involving your company, then you can set up a virtual LAN (VLAN) just for VoIP and, if you’re using a VPN to a remote office, then the VLAN can travel over that connection as well. The VLAN, as is decribed in our story on VoIP security, has the advantage of effectively providing a separate network for voice traffic, which is important for a number of reasons, including security, since you can control access to the VLAN in a variety of ways.
Problem is, you can’t plan on a VoIP call coming from within your company, and you can’t plan on a call that originated as VoIP coming in through your phone company’s central office switch, if you’re even connected to one of those. If you have a telephony gateway that accepts SIP calls from outside your premises, then you’ll need to have a SIP-capable firewall that can examine the message contents for malware and various types of spoofing. Such a firewall should block non-SIP traffic and should also be configured as a session border controller.
Finger using a desk telephone image
Preventing Malware Intrusion
Like HTML, a SIP message can also direct malware into your phone system; this can take more than one form. For example, a bad guy can send you an Internot of Things (IoT)-like attack that plants malware on phones, which can then be used to send information to a command-and-control server or to pass on other network information. Or such malware can spread itself to other phones and then be used to shut down your phone system.