Chances are, your users haven't heard of Session Initiation Protocol (SIP) outside of any meetings you may have had with them concerning your company's telecommunications. But, in fact, SIP is probably involved in nearly every phone call they make. SIP is the protocol that makes and completes telephone calls in most versions of Voice-over-IP (VoIP), whether those calls are being placed on your office phone system, your smartphone, or on applications such as Apple Facetime, Facebook Messenger, or Microsoft Skype.
When you make a call, it's SIP that contacts the receiving device, agrees on the nature of the call, and makes the connection. After that, another protocol (there are several) carries the content of the call. When the call is over and the parties disconnect, SIP is again the protocol that terminates the call. This may not sound like much of a security issue, but in fact, it is.
That's because SIP wasn't originally designed to be secure, which means it's easily hacked. What even most IT professionals don't know is that SIP is a text-based protocol that closely resembles HyperText Markup Language (HTML), with addressing that resembles what you'll encounter in a typical email's Simple Mail Transfer Protocol (SMTP). The header includes information about the caller's device, the nature of the call that the caller is requesting, and other details necessary to make the call work. The receiving device (which can be a cell phone or a VoIP phone, or perhaps a Private Branch Exchange or PBX), examines the request, and decides whether it can accommodate it or whether it can only work with a subset.
The receiving device then sends a code to the sender to indicate that the call is either accepted or that it's not. Some codes may indicate that the call can't be completed, much like the annoying 404 error you see when a webpage is not at the address you requested. Unless an encrypted connection is requested, all of this takes place as plain text that may travel across the open internet or your office network. There are even tools readily available that will let you listen in on unencrypted phone calls that use Wi-Fi.
Protecting a SIP Call
When folks hear that an underlying protocol isn't secure, they often give up on it. But you don't have to do that here, because protecting a SIP call is possible. When a device wants to make a connection to another SIP device, it uses an address such as this: SIP:user@domain. You'll notice this looks a lot like an email address except for the "SIP" at the beginning. Using such an address will let a SIP connection set up a phone call but it won't be encrypted. To create an encrypted call, your device needs to use an address that's slightly different: SIPS:user@comain. The "SIPS" indicates an encrypted connection to the next device using Transport Layer Security (TLS).
The problem with even the secure version of SIP is that the encrypted tunnel exists between devices as they route the call from the beginning to the end of the call but not necessarily while the call is passing through the device. This has proven to be a boon to law enforcement agencies and intelligence services everywhere because it makes it possible to tap VoIP phone calls that might otherwise be encrypted.
It's worth noting that it's possible to separately encrypt the contents of a SIP call so that, even if the call is intercepted, the contents can't be easily understood. An easy way to do this is to simply run a secure SIP call through a virtual private network (VPN). However, you'll need to test this for business purposes to ensure your VPN provider is giving you enough bandwidth in the tunnel to avoid call degradation. Unfortunately, the SIP information itself can't be encrypted, which means that the SIP information can be used to gain access to the VoIP server or the phone system by hijacking or spoofing a SIP call, but this would require a rather sophisticated and targeted attack.
Setting Up a Virtual LAN
Of course, if the VoIP call in question is something involving your company, then you can set up a virtual LAN (VLAN) just for VoIP and, if you're using a VPN to a remote office, then the VLAN can travel over that connection as well. The VLAN, as is decribed in our story on VoIP security, has the advantage of effectively providing a separate network for voice traffic, which is important for a number of reasons, including security, since you can control access to the VLAN in a variety of ways.
Problem is, you can't plan on a VoIP call coming from within your company, and you can't plan on a call that originated as VoIP coming in through your phone company's central office switch, if you're even connected to one of those. If you have a telephony gateway that accepts SIP calls from outside your premises, then you'll need to have a SIP-capable firewall that can examine the message contents for malware and various types of spoofing. Such a firewall should block non-SIP traffic and should also be configured as a session border controller.
Preventing Malware Intrusion
Like HTML, a SIP message can also direct malware into your phone system; this can take more than one form. For example, a bad guy can send you an Internot of Things (IoT)-like attack that plants malware on phones, which can then be used to send information to a command-and-control server or to pass on other network information. Or such malware can spread itself to other phones and then be used to shut down your phone system.
Alternatively, an infected SIP message can be used to attack a softphone on a computer and then infect the computer. This has happened to the Skype client for the Apple Macintosh and it likely could happen to any other softphone client, too. This is an eventuality that's becoming more and more likely as we see a burgeoning number of softphones emerging from multiple VoIP and collaboration vendors, including the likes of Dialpad, RingCentral Office , and Vonage Business Cloud, among several others.
The only way to prevent such attacks is to treat your organization's VoIP system with just as much security concern as you do your data networks. This is somewhat more of a challenge, if only because not all security products are SIP-aware, and because SIP is used in more than just voice apps—text and video conferencing being just two alternative examples. Likewise, not all VoIP network providers can detect bogus SIP calls. These are all questions you'll need to address with each vendor prior to engaging.
However, you can take steps to configure your endpoint devices so that they require SIP authentication. This includes demanding a valid Uniform Resource Identifier (URI) (which is like the URL that you're used to), a username that can be authenticated, and a secure password. Because SIP depends on passwords, this means you'll have to enforce a strong password policy for SIP devices, not just for computers. Finally, of course, you'll need to make sure that your intrusion detection and prevention systems, whatever they happen to be on your network, understand your VoIP network as well.
All of this sounds complex, and to some extent it is, but it's really just a matter of adding the VoIP conversation to any purchasing conversation with a network monitoring or IT security vendor. As SIP grows to an almost ubiquitous state in many business organizations, vendors of IT management products will put more and more emphasis on it, which means the situation should improve as long as IT buyers make it a priority.