April 19, 2021

SIP Credentials Getting Stolen – Thoughts on the Vector?


I work for a Company that sells unified comms as a service (mostly phone systems). We’ve recently been fighting repeated instances of stolen SIP credentials being used to make fraudulent calls. Fortunately our alarm systems have thus far been able to minimize the impact of the fraud. The problem is we can’t quite figure out how the credentials are getting stolen.

I suspect a MITM attack on our provisioning server communications, or SIP communications is the vector here – but I’m not sure how to confirm this. Provisioning server communications transfer config files and are only running HTTPS (no HTTP). SIP communications are encrypted with TLS and SIP auth info that’s sent across the internet is hashed and salted.

Would a MITM attack be able to steal SIP credentials if it captured the HTTPS handshake or TLS Handshake?

Or, would the MITM attacker also need to somehow get their hands on the private key of the phone?


Thank you



1. Are your VoiP systems fully patched up?

2. Yes, you can perform a MITM attack against HTTPS communication. This would require a malicious proxy server that can decrypt the communication, investigate it, and reencrypt it.

I would suggest ensuring ALL of your systems (server and endpoint) are fully up to date, changing your passwords, and enforcing any MFA if the platform supports it.

Also, depending on your VoiP setup, each customer should have unique SIP credentials.


Resetting the creds stops the access?

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.