781.897.1727
NFI Logo - blog featured image

SIP Security: How Much is Enough?

Everybody wants to think that their telephone service is secure. While the security of phone communications has always been a concern for users and service providers alike, it has become an even bigger one in the Internet and VoIP era, and the recent events involving the NSA are more proof of the complexity and sensitivity of this issue.

SIP is the most widely used signalling communications protocol for controlling voice calls over Internet Protocol networks. But what do we mean by “secure”, and what is a reasonable benchmark of adequate security?

A good starting point for thinking about SIP security might be that we want to:

  • maintain confidentiality
  • assure integrity
  • guarantee service availability (including Quality of Service)

Confidentiality obviously includes the idea that only the intended participants, the calling and the called parties, should be able to listen in to the call. You probably don’t want third parties listening to your calls, or having your calls recorded without your consent. But confidentiality may also go beyond this to include maintaining some privacy about who you are calling, how much personal information you expose, what your calling patterns are, and so on.

Integrity has to do with being certain that the call participants are who you think they are. You want to be confident that, for instance, when calling your IT support line or telephone banking line, you are not being connected with someone masquerading as those roles (“At the tone, please enter your account number followed by your password”).

Service availability includes the prevention of denial of service attacks, but it would also encompass the prevention of unauthorized access, where, for instance, system resources are being used by third parties for unauthorized purposes, including toll fraud. It could also reasonably include the preservation of expected levels of service and quality.

A further question that is worth thinking about is “Secure as compared with what?”. A reasonable benchmark for comparing the security of SIP-based VoIP telephony might be that of Plain Old Telephony Service (“POTS”). POTS set the bar very high for service availability, although a determined attacker could create a short-term denial-of-service attack by call “flooding” (having many callers target one particular endpoint). Similarly, POTS delivered a high level of call integrity – endpoints were known, as billing tended to validate them and systems usually required physical access for changes to their configuration settings. Confidentiality was reasonably-well assured, although operators, receptionists, and others might still have access to calls involving others.

How Does SIP Telephony Compare?

In the absence of security measures, a SIP system may be vulnerable to many threats:

Registration Hijacking: An attacker can appear to be someone they aren’t; your calls may be transparently re-directed to the wrong place
Snooping: Your calls may go to the right place, but unauthorized third parties can listen in on your conversations (or Fax transmissions…)
Message Tampering: What you say to your correspondent may not be what they hear; it is possible to modify the audio stream that is being transmitted
Session Control: An intruder may be able to forward, put on hold, record, or terminate your call, contrary to your intentions
Denial of Service: A traditional Internet Protocol hazard, SIP is vulnerable to this. Endpoints can be rendered unusable; as can lines, or other telephony resources
and more!

What Can We Do to Mitigate These Risks?

In order to reduce the chances of someone eavesdropping on your conversations, ensuring that your audio stream is encrypted by using Secure RTP (SRTP) instead of just RTP, and that the flow is endpoint-to-endpoint, will help a lot. If your audio is not encrypted, any node along the data path can intercept, listen in, or possibly even modify, your audio. “Any node along the data path” can include routers on your LAN, your ISP, internet backbone providers, indeed even the coffee shop whose WiFi hotspot you may be using. SRTP puts this kind of attack out of the reach of most, if not all, attackers.

Similarly, encryption of the signalling path, using SIPS, instead of vanilla SIP, will reduce the chances of an attacker manipulating the call control, or learning too much peripheral information about your calls.

When connecting across untrusted networks, such as public WiFi access, using a VPN is wise; that way untrusted local nodes would have less chance of even being aware of what you are doing – none of your plaintext signalling or unencrypted media would be visible.

Last Thoughts About Security

It’s important to remember that there is no such thing as absolute security. It is almost certainly impossible to be completely protected from all possible threats, and still have a usable system. In part this is because, as security demands increase, the costs to implement security responses increases as well – in computing overhead, bandwidth usage, protocol complexity. Security always involves a cost-benefit calculation; we need to be aware of what can go wrong, what kinds of damage can result (financial, reputational, or others), and how much time, effort or capital we’re willing to dedicate to preventing these things from happening. Security threats are always evolving, new threats are discovered and new vulnerabilities in protocols or networks are uncovered, so doing these cost-benefit calculations is an ongoing activity. Security is a game of cat-and-mouse.

Finally, there is such a thing as too much security: sometimes the only response we can devise to some threat is to eliminate the feature that exposes that threat. This probably results in an overall less useful system. We need to keep in mind what sorts of hazards we are concerned about, what are the chances of those things actually happening, and what costs we are willing to incur to protect ourselves or our organizations against those threats.

For More Information

What Does Security Mean?
Basic Vulnerability Issues for SIP Security
Session Initiation Protocol
Liars & Outliers: Bruce Schneier

Northforge

Northforge provides development expertise in IP Communications, VoIP, SIP/SDP/RTP/RTCP, H.323, and more. Please contact us for information on how we can make your next VoIP project a success!