I work for a Company that sells unified comms as a service (mostly phone systems). We’ve recently been fighting repeated instances of stolen SIP credentials being used to make fraudulent calls. Fortunately our alarm systems have thus far been able to minimize the impact of the fraud. The problem is we can’t quite figure out how the credentials are getting stolen.
I suspect a MITM attack on our provisioning server communications, or SIP communications is the vector here – but I’m not sure how to confirm this. Provisioning server communications transfer config files and are only running HTTPS (no HTTP). SIP communications are encrypted with TLS and SIP auth info that’s sent across the internet is hashed and salted.
Would a MITM attack be able to steal SIP credentials if it captured the HTTPS handshake or TLS Handshake?
Or, would the MITM attacker also need to somehow get their hands on the private key of the phone?