VOIP - is it secure?

Search this thread

Last Updated:
Apr 25th, 2012 8:55 pm

Tags:

None

SCORE

Reply to ThreadReply

Search this thread

Apr 24th, 2012 10:43 am

Phoenix3434 [OP]: Deal Addict; Nov 1, 2009; 2646 posts; 79 upvotes

Apr 24th, 2012 10:43 am

VOIP - is it secure?

Hey guys. A question to the VOIP experts out there. I switched from a regular landline to Primus VOIP about a year ago. Pretty happy with the service, but am thinking about voip.ms now.

So, a general question about the "security" of the calls over these VOIP lines. Are they encrypted? Obviously the packets are going over the internet. At what points are the voice data insecure - if at all?

Thanks.

18 replies

Apr 24th, 2012 10:58 am

PianoGuy: Deal Addict; May 26, 2011; 1804 posts; 475 upvotes; Vancouver

Apr 24th, 2012 10:58 am

VoIP is typically not encrypted because the PSTN is also unencrypted. Even if a VoIP provider were to employ encryption, they would only be able to encrypt the portion of the call traveling from you to their media gateway. Then they would have to decrypt it to send the call to their carrier. The general consensus is that this would create too much overhead for little to no benefit.

If you do need encryption because your conversations are particularly sensitive or you need to be protected from liability, one common way to do it is set up a VPN between the two locations, and connect your VoIP devices together over the VPN. However, this requires setup at each end.

If you don't want to use encryption, customary network security practices still apply. For example, don't leave your router and VoIP equipment in a publicly accessible place, place your VoIP equipment behind a firewall, don't forward ports or use DMZ, use encryption if you use wi-fi, don't use an outdoor-mounted demarc, run antivirus software on your computer, etc, etc.

EDIT: A commonly overlooked security practice is to use a restricted cone NAT router. If your router is of the full cone NAT type, it's less secure, because it works as if you were using port forwarding. To test your router, use this utility: http://www.dslreports.com/forum/remark,22292023

+1

Apr 24th, 2012 11:10 am

trane0: Deal Addict; Jun 8, 2005; 3105 posts; 576 upvotes; Toronto

Apr 24th, 2012 11:10 am

Are you concerned about your conversation being listened in on, or your SIP credentials being compromised? With regards to your conversations being listened in on, I believe the media streams are unencrypted as pointed out. However, unless you believe you'll be targeted by MITM or anything else, you don't really have to worry about it. More worrysome would be having your SIP credentials compromised, as with that someone could make phone calls using your ID, potentially running up big bills in LD charges.

+1

Apr 24th, 2012 11:25 am

Phoenix3434 [OP]: Deal Addict; Nov 1, 2009; 2646 posts; 79 upvotes

Apr 24th, 2012 11:25 am

Thanks guys for the responses. That clears things up quite a bit.

And yes, I would say both are concerns: 1) someone listening in on the phone call, and 2) someone stealing the credentials and rack of LD charges

So four follow up questions related to this:
1) Are regular landlines completely secure wrt the 2 points mentioned above?
2) It looks like voip.ms is a prepay type service - so with respect to someone stealing credentials, the max liability I am presuming is whatever you have prepaid on your account
3) My folks are also interested in voip.ms - they have regular landline now. Is it "easy" for non-tech people to use/maintain a voip.ms line? As opposed to Primus or Teksavvy VOIP?
4) Does voip.ms make porting numbers in and out (if necessary at a later date) easy? There is no risk of something getting screwed up and losing the number that we have already?

Thanks.

Apr 24th, 2012 11:31 am

PianoGuy: Deal Addict; May 26, 2011; 1804 posts; 475 upvotes; Vancouver

Apr 24th, 2012 11:31 am

1) No, landlines are completely insecure, and in my opinion significantly less secure than VoIP. Attaching an FM transmitter to the phone line entering your premises would take moments, and if I wore a shirt with the phone company's logo, no one would know the difference. It would be more difficult if the lines to your house were buried and/or you lived in an apartment or townhouse, but not impossible.

2) To a certain extent, yes. However, since your account balance is only updated when the call ends, someone making a very very long call could cause your account balance to be negative. I suggest you use strong passwords like !kgB84@.vV3IG2ss9) as a password like this can't really be "brute forced". You don't have to memorize your VoIP password as you typically only need it when you are setting up your device.

3) It is certainly very possible for anyone to learn to use VoIP.ms, however it is not plug-and-play and does require prior knowledge of VoIP technology, or willingness to learn. If set up properly, it should require no maintenance other than adding funds every so often.

4) Yes, as long as you follow general porting procedures (don't cancel your service with your current provider until AFTER the new provider has ported the number) you can port numbers in and out of VoIP.ms.

+1

Apr 24th, 2012 1:19 pm

archdemon: Deal Addict; Mar 7, 2007; 1736 posts; 157 upvotes; Toronto

Apr 24th, 2012 1:19 pm

NOT secure if you are buying from a third-party.

Only way to secure something is to do it yourself.

Goodluck!

Nintendo Switch vibes

Apr 24th, 2012 1:29 pm

Phoenix3434 [OP]: Deal Addict; Nov 1, 2009; 2646 posts; 79 upvotes

Apr 24th, 2012 1:29 pm

Thanks.

PianoGuy wrote: ↑ 4) Yes, as long as you follow general porting procedures (don't cancel your service with your current provider until AFTER the new provider has ported the number) you can port numbers in and out of VoIP.ms.

So does this mean that I will have to absorb one month of charges with old provider? Since Bell for example requires 30 day notice. Also, I guess to test out the voip.ms connection, I can have a 2nd line with a different number and port only when I am satisfied about the quality.

Just went through a guide for voip.ms. A "DID number" refers to just a phone number right? So, when I get the ATA unit (Linksys), I connect to the voip.ms server and configure everything from there? If you guys know of a really good guide, instructions and background, please post away.

Thx.

Apr 24th, 2012 3:29 pm

PianoGuy: Deal Addict; May 26, 2011; 1804 posts; 475 upvotes; Vancouver

Apr 24th, 2012 3:29 pm

Yes, a DID number is a phone number, and you are welcome to order a temporary DID and cancel it later, when you have ported your primary DID. For configuration, the VoIP.ms wiki is quite helpful: http://wiki.voip.ms/article/Cisco_Linksys_PAP2T

Though the Linksys devices are very popular, the new OBi devices (which were developed by the same engineers as the Linksys/Sipura devices) are significantly better and not astronomically expensive. Search for OBi100 or OBi202 on Amazon.ca.

With regards to your question about Bell, I'll defer to someone who has ported from them recently.

Apr 24th, 2012 8:30 pm

Phoenix3434 [OP]: Deal Addict; Nov 1, 2009; 2646 posts; 79 upvotes

Apr 24th, 2012 8:30 pm

Thanks.

Wrt Linksys devices, I see two main kinds. Units with a router (e.g. SPA122 or SPA2102) and without a router (e.g. SPA112).. What's the practical difference if I am just going to put the unit behind the firewall? (and don't make use of the LAN out of the unit).

I am presuming the SPA112 is enough? It's like $55 - which is very reasonable.

Apr 24th, 2012 8:50 pm

PianoGuy: Deal Addict; May 26, 2011; 1804 posts; 475 upvotes; Vancouver

Apr 24th, 2012 8:50 pm

The advantage to a VoIP device with a router is that the router can handle Quality of Service routing, to make sure VoIP is given priority over other Internet traffic. If your router supports QoS, that's fine, or if your Internet connection is very lightly used, that would be fine too.

I wouldn't buy a SPA112 or a SPA122. Though they're sold as the successors to the PAP2T and SPA2102, the newer versions are not based on the older ones and were in fact developed by a different company. There have been negative reviews from early adopters of these devices, claiming critical issues such as Caller ID not working properly, and the QoS functions of the router not working at all. I believe one or both of these have been corrected in a firmware update, however I would still rather let these devices mature and go through a few more firmware revisions, in case there are other issues that have not yet been discovered.

The PAP2T, SPA2102, and OBi100 have a proven track record. The OBi202 was just released this month, but I expect it to be built to similarly high standards. Note that the router in the SPA2102 is limited to 7.5Mbps, which was great when it was released, but is typically not fast enough for today's Internet speeds.

Apr 24th, 2012 10:04 pm

Phoenix3434 [OP]: Deal Addict; Nov 1, 2009; 2646 posts; 79 upvotes

Apr 24th, 2012 10:04 pm

Thanks for the heads up. Will go with a PAP2T or SPA2102. I'll check out the OBi100 as well - but based on a quick search, the other two seem to be cheaper (~$50-60).

"Note that the router in the SPA2102 is limited to 7.5Mbps"

But this is not a consideration if I connect the SPA2102 behind my router (as opposed to in front) right? In the sense that the "LAN out" of the SPA is not used. I am presuming the 7.5 Mbps limitation is only useful if part of the network is connected to the "out" of the SPA?

Apr 24th, 2012 10:06 pm

PianoGuy: Deal Addict; May 26, 2011; 1804 posts; 475 upvotes; Vancouver

Apr 24th, 2012 10:06 pm

Correct

Apr 25th, 2012 1:46 pm

Phoenix3434 [OP]: Deal Addict; Nov 1, 2009; 2646 posts; 79 upvotes

Apr 25th, 2012 1:46 pm

I just signed up for a new voip.ms account. I thought incoming calls were free.. But it doesn't look like it. If you get the monthly plan, it's $4.95 / month (3500 minutes). Otherwise, it's $0.01 per minute (+ $0.99/month for DID). The outgoing is actually cheaper at $0.0052 / minutes. What gives??.. Is this right?

Apr 25th, 2012 2:07 pm

gnuman: Deal Addict; Apr 14, 2007; 2913 posts; 402 upvotes; Montreal

Apr 25th, 2012 2:07 pm

It was always like that. So you should call them back when they call you

If you don't talk much then what's the point of spending the $5/mth? $5 = 500 minutes of incoming calls.

Apr 25th, 2012 3:01 pm

Phoenix3434 [OP]: Deal Addict; Nov 1, 2009; 2646 posts; 79 upvotes

Apr 25th, 2012 3:01 pm

Thanks. Just wanted to confirm..

Here's a more tricky security related question for you guys. The tech at voip.ms told me that the password you enter is "encrypted" with a MD5 hash. Lets ignore the fact that a MD5 is not strictly an encryption primitive and also the fact that MD5 offers pretty weak protection. That said, is this hash AT LEAST protected with a random value during the hashing process? As in the MD5 hash is calculated on the Linksys (ATA box) by hashing the password and a random value generated on the voip.ms servers.

Anyone can confirm this? Otherwise, a replay attack would be trivial.

Apr 25th, 2012 7:42 pm

Gee: Deal Expert; Aug 2, 2004; 34604 posts; 8159 upvotes; East Gwillimbury

Apr 25th, 2012 7:42 pm

Phoenix3434 wrote: ↑Thanks for the heads up. Will go with a PAP2T or SPA2102. I'll check out the OBi100 as well - but based on a quick search, the other two seem to be cheaper (~$50-60).

"Note that the router in the SPA2102 is limited to 7.5Mbps"

But this is not a consideration if I connect the SPA2102 behind my router (as opposed to in front) right? In the sense that the "LAN out" of the SPA is not used. I am presuming the 7.5 Mbps limitation is only useful if part of the network is connected to the "out" of the SPA?

Both those ATAs are discontinued. The replacements are

SPA112 = PAP2T
SPA122 = SPA2102

All you need is the SPA112 / PAP2T, no point in dual NAT.

Home Automation Thread

Heatware

Apr 25th, 2012 8:05 pm

PianoGuy: Deal Addict; May 26, 2011; 1804 posts; 475 upvotes; Vancouver

Apr 25th, 2012 8:05 pm

Good question

SIP ~~protocol~~ uses HTTP digest authentication and does in fact incorporate a nonce. If you want to read the RFC for a SIP registration, here it is: http://tools.ietf.org/html/rfc3665#section-2.1

+1

Apr 25th, 2012 8:43 pm

Phoenix3434 [OP]: Deal Addict; Nov 1, 2009; 2646 posts; 79 upvotes

Apr 25th, 2012 8:43 pm

Nice. Thanks.. Good thing you know all this stuff about this topic. Related to your job or just a hobby?

Set up voip.ms with PAP2T today - works pretty well. Now just need to port my current # as well. Hopefully won't take too long.

Apr 25th, 2012 8:55 pm

PianoGuy: Deal Addict; May 26, 2011; 1804 posts; 475 upvotes; Vancouver

Apr 25th, 2012 8:55 pm

Both

I'm responsible for my employer's telecom needs. Our phone lines are VoIP, connected to an old Norstar PBX via an ATA. I'm aware this isn't the latest and greatest technology...but it does work reliably and I haven't yet wanted to spend the $x,xxx to upgrade to IP phones. We do have a "pure IP" system between the main office and remote employees though, using an IP PBX that I built myself, and our faxes are also all over IP.

I consider this as a hobby too, because I genuinely enjoy playing with the technology.

I'm glad to hear your PAP2T is working well. Let us know if you have any more questions

Reply to Thread

Top