sip trunk security

Unanswered Question
Jun 22nd, 2010

This message also posted in security/network management:

cisco router 2651XM running a sip trunk (call manager express)

IOS: c2600-adventerprisek9-mz.124-15.T9.bin

after having my sip account hacked I need to make my sip trunk secure. I'm fairly certain my sip details were hacked using packet sniffing but not 100% sure. My sip provider has changed my password but I'm reluctant to re-register with my sip provider because my new details will just get sniffed again. In the meantime I have changed all the router passwords to strong ones and set up a logging trap as well with delays to discourage brute force attacks.

How can I harden the encryption in my router or make my sip trunk resilient to packet sniffing? My sip-ua currently looks like this:


authentication username xxxxxxxx password 7 152552393279781D06

calling-info pstn-to-sip from number set xxxxxxxx

retry invite 2

registrar expires 3600


Thanks for any advice.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tonyspcrepairs Wed, 06/23/2010 - 04:18

thanks for your feedback but are you sure about 'impossible via packet sniffing'? The phone company claims it is possible so I'm in a quandary, don't know what to do next. I also have to consider mail interception and router hack but I'm working on that. Appreciate for any further ideas...

Paolo Bevilacqua Wed, 06/23/2010 - 10:40

They are wrong. Point them to documentation that explains digest (one way) encryption, as I did above.

Beside, who exactly would be sniffing you, how, and where ?

tonyspcrepairs Wed, 06/23/2010 - 12:22

someone has hacked my sip credentials and used up all the credit in two different sip accounts I've had - both with different companies so this isn't hypothetical. I'm trying to find how they did it (three times) so I have to look at all avenues, no matter how unlikely.

Aaron Harrison Wed, 06/23/2010 - 12:43


It's equally possible that the credentials were obtained another way - i.e. from your email (rare to see that encrypted in flight), maybe from your router config (that type 7 encoded password is a simple thing to decode if you have the config) - how many people have access?

No point worrying how good the locks are if the front door is open :-)

Surely the service provider should be able to limit access to your account to a particular set of IP addresses provided by yourself? One would think if they're happy to state to their customers that their credentials are unsafe and might be sniffed any time you use their service they would want to take measures to prevent it...


tonyspcrepairs Wed, 06/23/2010 - 13:13

yes I know there are several ways my credentials could have been obtained and believe me I'm trying to address every one of them, my packet sniffing query was just one. I'm not sure what to do if emails are being read, I've changed the password on my email but if they're sniffed in flight that's a different problem. No-one uses my computer but me, no-one has access to my router but me, no-one knows the passwords (all changed yesterday) except me. I did a hd scan and found a couple of trojans but whether they were connected I'm still investigating  I've set up a logging trap-to-syslog to monitor router telnet attempts and it works and I've also set up a logon delay to prevent brute force attacks.

Thanks for your advice and I've sent an email to my sip provider about restricting access but I don't hold out much hope. I don't know if you've had experience with sip providers but my experience of them is not a pleasant one, they're unhelpful and frustrating.

ADAM CRISP Wed, 07/21/2010 - 12:54

Hi Tony,

Was / is it possible that your router was an open SIP-SIP ot H323-SIP gateway ?



This Discussion