What is SIP Trunking?
SIP (Session Initiation Protocol) Trunking is a digital way of making and receiving phone calls and other communications over an internet connection. The term trunking refers to the method of consolidating multiple communication channels into one singular connection. SIP Trunks provide VoIP (Voice over Internet Protocol) connectivity between on-premise phone systems to the PSTN, which allows for the efficient use of resources and connection to the telephone network.
Working with a trusted SIP provider like Fuse 2 ensures your VoIP infrastructure is built with security at its core, not as an afterthought.
1. Open SIP Ports (Especially 5060/5061)
SIP ports are specific network ports used to send and receive SIP signalling messages between devices. An open port acts as a digital entry point for a service. These open ports attract automated “port scanners” which can be used by both legitimate administrators and malicious actors. The most common SIP port numbers are Port 5060/5061, which is the default port for unencrypted SIP signalling traffic.
Most VoIP calls use this port to establish the connection; however, this port number can be exploited quite easily if unencrypted. This SIP port number is susceptible to SIP flooding, toll fraud, eavesdropping and impersonation.
Prevention Tips
To protect an unencrypted SIP port 5060, the most crucial step is to implement a strict firewall, allowing connections only from known, trusted IP addresses. Another useful tactic is a Session Border Controller (SBC) for intelligent traffic filtering, topology hiding and rate limiting. You can also enforce strong, unique passwords and disable unused accounts.
We at Fuse 2, provide specialised cybersecurity expertise, ensuring compliance with industry standards. We provide managed security services such as firewall management, Intrusion Detection System and SIEM for continuous monitoring and threat detection. We also implement advanced technologies like SBC, Multi Factor Authentication and network segmentation, backed up by 24/7 monitoring and up-to-date threat intelligence to protect against evolving cyber threats.
2. Weak or Default Passwords
Brute-force attacks are when attackers try countless username/password combinations until they find the right one. These are highly dangerous as these attacks can lead to data theft, malware, or system disruption.
However, the extreme danger from admin/admin setups is that they provide attackers with a commonly used username and password. This makes attacks less serious and virtually ensures that they will be successful, giving the attacker full administrative control over the system. This means that attackers can potentially compromise the system, which can lead to data theft and infiltration of the wider network.
Prevention Tips
The key way to protect against admin/admin setups is to always change default credentials immediately after setting up a new device or software. Use strong passwords created by a password manager and enable Multi-Factor Authentication whenever possible. It’s very important to establish clear policies that enforce password changes and requirements for all new installations and devices, so that staff are well educated and responsible for their password changes.
Furthermore, using a SIP platform like Fuse 2 that supports “complex authentication” means leveraging more robust and secure methods to verify the identity of users and devices. These methods include the previously mentioned and so much more!
3. Lack of SIP & RTP Encryption
Many Voice over IP (VoIP) calls remain unencrypted by default, which means that both the call’s setup information (SIP) and the actual conversation (RTP) are transmitted in plaintext, meaning that these calls can be vulnerable to security threats.
- Unencrypted SIP: Exposes call metadata, device info and even authentication details. This can lead to eavesdropping, call hijacking, toll fraud and spoofing, because anyone can access the call’s control panel info.
- Unencrypted RTP: This is where the voice and video data travel. Anyone can intercept the network traffic if it is not encrypted and directly listen to or watch the conversation, leading to severe privacy and confidentiality breaches.
Unless your current provider has specifically enabled and configured encryption, your calls are probably vulnerable. Default settings, legacy systems, and provider-specific configurations often mean plaintext communication is still common. This means that it is essential to actively ensure encryption is enabled for robust VoIP security.
Prevention Tips
Using Transport Layer Security (TLS) for signalling and Secure Real-time Transport Protocol (SRTP) for voice creates a robust security system for VoIP. TLS secures call metadata and authenticates participants, preventing eavesdropping and hijacking, like a secure entry system for a house. SRTP encrypts the actual voice data, which ensures confidentiality and integrity and prevents replay attacks. Combined, they offer comprehensive protection against various cyber threats, guaranteeing private and secure VoIP communications.
When choosing a provider, always ask about default encryption, end-to-end encryption and algorithms used. You should also look for additional security measures like firewalls, SBCs, strong authentication and compliance with industry regulations.
High-quality VoIP providers (like Fuse 2) prioritise security by encrypting communications by default, using TLS for signalling and SRTP for voice. This means that all call metadata and call content are encrypted using strong algorithms like the Advanced Encryption Standard (AES).
4. Toll Fraud & International Dialling Abuse
Toll fraud or International Revenue Sharing Fraud (IRSF) is a serious crime in telecoms where fraudsters gain unauthorised access to a phone system (PBX or VoIP). They can use this compromised system to make a huge volume of calls to premium-rate international numbers that they control or profit from. This can result in phone bills as high as £5000 in less than a day.
International dialling abuse is a broader term to describe any unauthorised international calling. Although the main example of toll fraud is driven by the fraudster’s direct financial gain, other examples include situations in which systems are used for illicit international calls, call pumping (producing large numbers of calls or SMS), or evading legal foreign costs.
Prevention Tips
Setting strict call limits – Implement financial caps, limit call duration, restrict concurrent calls, and caps call per period (e.g. per minute/hour) to prevent fraudsters from racking up massive charges quickly.
Disabling Unneeded International Dialling – The most effective way to prevent unauthorised international calling is to block all outbound international calls at the carrier level if not required.
Utilising Real-Time Alerts and Monitoring – Set up your system to instantly notify you of any suspicious behaviour, such as unexpected increases in the amount of foreign calls, calls to odd locations, or a high number of unsuccessful login attempts. When feasible, incorporate automated blocking features, and periodically examine Call Detail Records (CDRs) for any hidden trends.
Strengthening System Security – Strive to use robust, unique passwords for all telecom systems, disable unused features, secure remote access with VPNs and MFA, use firewalls and make sure that all telecom hardware is regularly updated with the latest security patches.
5. SIP Spoofing & Caller ID Manipulation
These are telecom threats where SIP message headers are forged by attackers to display false caller information. Attackers can then impersonate legitimate users or internal extensions to deceive recipients. Attackers pull this off by gaining network access and then constructing SIP messages with fake names and numbers to deceive victims into trusting the call and divulging the information.
Here are the risks of:
- Phishing: When a criminal deceives an individual by impersonating a trustworthy entity to trick victims. This may result in the exposure of private information, fraudulent payments or downloading malware.
- Internal access risks: These risks include data theft from accidental data exposure, privilege abuse and enabling insider espionage, which may result in insiders bypassing external defences
- Reputational damage: This is the damage made to the organisation’s image, credibility and trust, which can be consequences of the issues described above. These issues can affect customer churn, revenue and investor trust.
Prevention Tips
Session Border Controllers (SBCs) are key tools to use as they act as gateways that inspect and apply rules on SIP messages. SBCs use Header Manipulation Rules (HMR) with regular expressions to add, delete, modify, or validate header values. These regular changes help prevent malicious content and ensure compliance.
SIP providers also play an important role. They compare Caller IDs to your supplied numbers for your outgoing calls, frequently rejecting or rewriting unauthorised ones. To confirm the identity of the caller and identify any fraud or spam before the calls ever reach you, they evaluate the headers of incoming calls from upstream carriers using techniques like STIR/SHAKEN.
6. SIP Registration Hijacking
This allows an attacker to take control of a VoIP extension. First, they observe the network to find active SIP servers and valid extensions. They gain the credentials, often via social engineering, scanning unencrypted communications, or brute-forcing weak passwords. They usually use social engineering, sniffing unencrypted communications, or brute-forcing weak passwords to obtain the extension’s credentials. To ensure their success, they might submit a de-registration request or launch a DoS attack to interfere with the authentic phone’s registration. If they are successful, all calls for that extension are routed to the attacker, enabling interception, unauthorised outbound calls and impersonation.
Prevention Tips
Settings Short Registration Timeouts: This limits the window an attacker has with a hijacked registration. Forcing more frequent re-authentication and speeding recovery.
Locking IP Ranges: Whitelist only trusted IP addresses for SIP/RTP traffic at the firewall or SBC level, significantly reducing the attack surface.
7. Denial of Service (DoS) & SIP Flooding
Attacks known as denial-of-service (DoS) intentionally deplete a system’s availability, service, or network resources by exploiting operational bottlenecks or overloading it with queries (SIP flooding). The attack aims to overwhelm the SIP servers with voluminous illegitimate traffic, which exhausts resources and prevents authentic calls.
The core dangers include:
- Complete communication blackout: rendering phone systems unusable, halting all incoming and outgoing calls.
- Significant financial losses: loss of revenue due to disrupted business, remediation costs, and potential ransom demands.
- Degraded voice quality: Even if systems don’t crash, overwhelming traffic leads to poor call quality.
- Resource exhaustion: Attacks consume all available CPU, memory and bandwidth, causing system unresponsiveness.
- Distraction for Other Attacks: DoS can be a smokescreen for more insidious data breaches or malware installations.
Prevention Tips
- Deploy a strong SBC: This will limit the rate of SIP messages, implement a strict protocol validation and topology hiding.
- Strengthen Internet Network Security: Harden your firewall with tight rules and segment your VoIP infrastructure onto dedicated VLANs.
- Harden SIP server (PBX): Update any VoIP firmware and software (this is essential for UK compliance), turn off any unwanted capabilities, and set capacity restrictions.
- Robust Monitoring & Alerting: Establish automated alerts, monitor resources and traffic in real-time for irregularities, and routinely review logs. For danger intelligence, cooperate with UK industry associations such as TUFF.
8. Poorly Secured Endpoints (Phones, Softphones, Apps)
Unsecured VoIP endpoints like IP phones, softphones and unpatched mobile apps are extremely weak points that can expose your entire communication system and even your broader network to significant risks. These devices tend to be overlooked in an organisation’s security posture and can facilitate significant risks
These risks include:
- Toll Fraud/ Financial Loss: Attackers will gain control to make expensive international calls.
- Eavesdropping and Breaches: Conversations can be intercepted and listened to without proper encryption. This can compromise confidential business discussions and data.
- Malware & Network Infiltration: Malware, such as ransomware, which encrypts files and demands payment, can seriously impede operations on unprotected systems.
- Compliance and legal issues: Endpoint security failure can lead to heavy fines and non-compliance with laws (such as GDPR).
- Operational downtime: Attacks have the power to destroy systems, rendering data unreadable and stopping operations, which results in lost productivity and monetary losses.
Prevention Tips
To prevent risks of poorly secured endpoints, organisations need a multilayered approach:
- Stay on top of updates and patches
- Implement Multi-Factor Authentication (MFA)
- Removing unused apps
Secure provisioning is another way of preventing the risks of poorly secured endpoints. It refers to setting up and configuring a device with all necessary security measures before it is used in a network.
Good providers (like Fuse 2) use Device Management Tools (MDM/UEM) to offer comprehensive control and security over client devices.
These tools provide:
- Centralised management: All devices (laptops, phones, etc.) may be seen and controlled from a single dashboard.
- Automated Setup: Enrolment with “zero-touch” for safe, pre-configured devices.
- Robust Security: implementing automatic patching, app control, remote lock/wipe for misplaced devices, and policy enforcement (passwords, encryption).
- Remote Support: Remote diagnostics and troubleshooting.
- BYOD Support: Securing the usage of personal devices for work.
- Reporting: Providing detailed compliance and audit reports.
9. Misconfigured SIP Trunks or PBX Settings
These settings are a serious threat to any organisation relying on IP-based communication. These issues are a result of incorrect routing rules and overly open trunks and can lead to:
- Massie toll fraud: Attackers can exploit outbound dialling rules to make expensive, unauthorised calls, which can lead to the businesses receiving large bills.
- System Exposure & Hacking: Unsecured systems become backdoors to the network, which allow for malware injection, data theft, and manipulation of communication services.
- Downtime (DoS/DDoS): Traffic can overload systems, preventing any connection.
- Eavesdropping: Confidential information may be exposed if unencrypted calls are intercepted.
These risks are also severely heightened by Shadow IT (unauthorised, unmanaged systems) and DIY PBX setups, which often lack proper security expertise, patching and oversight.
Prevention Tips
Regular audits and reviews: frequently conduct internal audits of your configurations, call logs and system performance. Engage expert reviews from third-party security, and regularly schedule them. With Fuse 2, all SIP trunking configurations are hardened by default and supported by a specialist team.
Expert Reviews: Due to the intricacy of contemporary VoIP systems, even knowledgeable IT personnel can fail to notice minor setup errors. An evaluation by an impartial expert might reveal hidden weaknesses and offer a new viewpoint.
Platform-Level Protections: Applying strong security measures directly on your SIP and PBX platforms is crucial for creating a hardened and resilient communication environment.
These measures include:
- Using TLS for SIP signalling and the SRTP to encrypt the voice and video media itself, preventing eavesdropping.
- Using an SBC to act as a firewall for voice traffic, hiding your network topology
- Use IP-based access control to ensure your system only communicates with authorised provider IP addresses.
- Reduce your potential attack surface by turning off any unnecessary services or extensions on your PBX
10. Lack of Monitoring & Alerting
Delayed detection, increased damage
Attacks go unnoticed for longer periods, allowing fraudsters to maximise financial losses and malicious individuals to cause extensive system disruption or data theft. Usually, by the time victims find out, the damage is irreversible and costly.
Blind spots
Without comprehensive logs and a way to correlate them, you can miss crucial early warning signs like strange call patterns, suspicious logins, or configuration changes.
Compliance Failures
Strong monitoring and incident response are required by several rules. If these are not followed, there may be severe penalties and legal repercussions.
Ineffective Incident Response
If you don’t know an incident is happening, your response plan can’t be triggered, leaving you unable to mitigate the attack promptly or learn from it for future prevention.
Reputational Harm
Unexpected charges and other customer-impacting incidents that go unnoticed can harm your business’s reputation by causing lost confidence and client attrition.
Prevention Tips
- Build a strong monitoring Framework: define what to monitor (KPIs, baselines, logs) and centralise all logs for easy analysis. Use diverse monitoring tools for infrastructure, applications, and security (SIEM).
- Prioritise smart alerts: Prioritise warnings using anomaly detection and smart thresholds. Use a variety of notification channels with explicit escalation procedures, and make sure warnings are relevant and contextual.
- Strengthen Incident Response: To gain knowledge and make improvements, perform blameless post-event reviews, automate remediation where feasible, and practice with drills regularly.
- Embrace Continuous Improvement: Review and adjust alarms regularly, audit logs, evaluate security, and keep up with threat intelligence. Specialised solutions like as fraud warnings, SIP analytics dashboards, and thorough SIP log checks are essential for SIP/VoIP settings.
Fuse 2 can offer integrated solutions with live dashboards, call alerts, and pattern monitoring, significantly reducing response times from hours to mere seconds.
