VoIP Security and Encryption

The short answer: VoIP is secure when configured properly. The two-layer encryption model — TLS for signaling, SRTP for media — closes the primary eavesdropping vectors. STIR/SHAKEN attestation prevents caller ID spoofing at the carrier level. SOC2 Type II certification is the minimum verifiable signal that a vendor has had its security controls independently audited.

The remaining attack surface — toll fraud, credential stuffing, SIP DDoS, insecure endpoints — requires MFA, role-based access control, and endpoint policy. The sections below explain each layer, the real vulnerabilities, and the exact questions to ask your VoIP vendor before signing a contract.

Is VoIP actually secure? (The short answer)

The honest answer is: it depends entirely on the vendor configuration and your own access controls.

The underlying SIP and RTP protocols were designed in an era that prioritized interoperability over encryption. Unencrypted SIP sends call signaling in plaintext. Unencrypted RTP sends voice as raw audio packets. Both are trivially interceptable on the same network segment. That is the source of the “VoIP is insecure” claim — and it was accurate for on-premise PBX deployments before 2015.

Modern cloud VoIP changes the picture materially. A correctly configured cloud VoIP platform encrypts signaling with TLS 1.2 or 1.3, encrypts media with SRTP, and authenticates caller ID via the STIR/SHAKEN framework. At that configuration baseline, passive eavesdropping on your calls requires breaking TLS — an attack that is not practical against a properly configured TLS 1.3 session.

The vulnerabilities that remain in 2026 are not cryptographic. They are operational: compromised credentials, misconfigured session border controllers, unpatched desk phones, and social engineering. These are solvable with the access control practices in the sections below.

See the full DialPhone security posture on the security overview page and the trust and compliance portal.

TLS and SRTP — what they encrypt and what they don’t

VoIP traffic has two distinct streams. Understanding the difference matters because a vendor can encrypt one without the other.

SIP signaling (call setup, routing, authentication). SIP messages establish the call: who is calling, who is being called, what codecs to use, where to send the audio. Without encryption, SIP messages are readable by any device on the path between your phone and the VoIP server. Transport Layer Security (TLS) wraps SIP in the same encryption layer used by HTTPS — TLS 1.3 with forward secrecy means a compromised session key does not expose past sessions.

RTP media (the actual voice audio). Once a call is established, the audio travels over Real-time Transport Protocol. Standard RTP is unencrypted. Secure Real-time Transport Protocol (SRTP) encrypts the audio payload using AES-128 or AES-256. SRTP adds negligible latency and is required by DialPhone on all business phone plans.

What TLS + SRTP does not protect. Encryption closes the wire-level eavesdropping vector. It does not protect against a compromised account that logs in with stolen credentials, a misconfigured PBX that accepts unauthenticated SIP INVITE requests, or a device that decrypts traffic locally and forwards it. The encryption layer is necessary but not sufficient — which is why the access control sections below matter as much as the cryptographic layer.

Ask any vendor two questions: “Is TLS used for SIP signaling?” and “Is SRTP used for media?” If either answer is optional rather than mandatory, move on. Both should be default-on, non-negotiable.

STIR/SHAKEN — caller ID authentication for 2026

STIR/SHAKEN is a carrier-level framework that cryptographically attests the origin of a call’s caller ID. It addresses a specific attack vector: spoofed caller ID, where a caller presents a phone number they do not own — a technique used in robocall fraud, IRS impersonation scams, and business email compromise calls.

How it works. When a call originates on your business phone system, your carrier signs the caller ID with a certificate and attaches an identity header to the SIP message. The terminating carrier validates that signature. If the signature is missing or invalid, the call is flagged — either with a “Spam Likely” label on the recipient’s phone or by being silently dropped.

STIR/SHAKEN attestation levels. Full attestation (A-level) means the carrier has verified that the calling party is authorized to use the number being presented. Partial attestation (B-level) means the carrier authenticated the originating customer but cannot verify the specific number. Gateway attestation (C-level) means the call entered the PSTN from an external source and could not be verified. A-level attestation is what you want for outbound calls from your business numbers.

What this means for DialPhone customers. DialPhone participates in the STIR/SHAKEN framework and signs outbound calls at A-level attestation for numbers provisioned on the platform. Your business calls reach recipients with verified caller ID — reducing the probability of being flagged as spam and protecting your brand reputation on outbound call campaigns.

For more on caller ID authentication, see the STIR/SHAKEN glossary entry.

SIP attack vectors (toll fraud, eavesdropping, DDoS)

Understanding the attack surface helps you evaluate vendor mitigations. The three most common SIP-specific attack patterns in 2026:

Toll fraud. The highest-volume financial attack on VoIP systems. An attacker compromises a SIP account — usually through credential stuffing from a leaked database — and routes international calls through your system at your expense. Calls to premium-rate numbers or high-cost destinations can run up thousands of dollars in minutes.

Mitigation: strong SIP credentials, geographic call restrictions, per-account spend caps, and anomalous-traffic alerting. DialPhone enforces spend thresholds and geographic restrictions at the account level; alerting fires on deviation from baseline call patterns.

Passive eavesdropping. Without TLS + SRTP, an attacker on the same network (or on a compromised network device in the path) can capture and replay SIP packets to reconstruct call audio. Modern cloud VoIP with mandatory TLS + SRTP closes this vector for the transport layer. The residual risk is at the endpoint: a compromised softphone or infected laptop can capture decrypted audio. Endpoint security policy (section below) addresses this.

SIP DDoS and registration flooding. Attackers send high volumes of SIP REGISTER or INVITE requests to overwhelm a SIP server, causing call quality degradation or outages. Mitigation lives in the session border controller (SBC): rate limiting, CAPTCHA-style challenge-response, and IP allowlisting. DialPhone operates redundant SBCs across multiple regions with automated DDoS mitigation integrated at the network edge, contributing to the 99.999% uptime SLA. The platform’s failover architecture is documented in the SIP trunking glossary entry.

What to ask your vendor. Request the incident count for toll fraud events in the past 12 months, the average time-to-detect for anomalous call patterns, and whether the SBC vendor is disclosed. Vendors unwilling to answer these questions in sales should be treated as a red flag.

Vendor security certifications (SOC2, ISO 27001, HIPAA BAA)

Certifications are the only externally verifiable signal that a vendor’s security controls have been audited. Marketing claims are not audited. Certifications are.

SOC2 Type II is the baseline for cloud VoIP vendors serving US businesses. Type I means a vendor’s controls were reviewed at a point in time. Type II means controls were tested over an audit period — typically six to twelve months — confirming that they operate continuously, not just on inspection day. SOC2 Type II is the minimum bar worth accepting. DialPhone holds SOC2 Type II certification; the report is available under NDA to prospects evaluating the platform. See the SOC2 compliance page for current certification status and scope.

ISO 27001 is the international standard for information security management systems. It covers a broader organizational scope than SOC2 and is more commonly required by European customers and enterprise procurement processes. Not all cloud VoIP vendors maintain ISO 27001 alongside SOC2 — verify which standard applies to your procurement requirements before shortlisting.

HIPAA Business Associate Agreement (BAA). If your business handles patient health information — medical practices, dental groups, behavioral health, telehealth — you are legally required to execute a BAA with every vendor that processes, stores, or transmits PHI on your behalf. A VoIP vendor that receives inbound patient calls and stores recordings is processing PHI. Require a BAA in writing before routing any patient traffic. Confirm whether the BAA covers call recordings, voicemail, and SMS separately from voice calls — scope varies by vendor.

What certification does not guarantee. A SOC2 Type II report tells you that the vendor’s documented controls operated as described during the audit period. It does not guarantee zero incidents. It does not cover your endpoint configuration, your user access policies, or your integration with third-party platforms. Certification shifts responsibility to the vendor for the in-scope controls; the rest remains yours.

Authentication and access controls (MFA, SSO, role-based)

The credential layer is where most VoIP breaches originate. Encryption at the transport layer does nothing if an attacker logs into the admin portal with a stolen password.

Multi-factor authentication (MFA). MFA should be mandatory — not optional — for every user who can modify routing, add extensions, or view call recordings. TOTP-based MFA (Google Authenticator, Authy) is the minimum; hardware keys (FIDO2/WebAuthn) are preferred for admin accounts. If your VoIP vendor does not support MFA for the admin portal, that is a disqualifying gap regardless of other certifications.

Single sign-on (SSO). Enterprise deployments benefit from integrating VoIP authentication into the corporate identity provider (Okta, Microsoft Entra ID, Google Workspace). SSO allows centralized credential lifecycle management — when an employee is offboarded in your IdP, their VoIP access is revoked automatically, not manually. Manual offboarding creates windows of access that persist after employment ends.

Role-based access control (RBAC). Not every user needs access to billing, call recording download, or number provisioning. RBAC limits the blast radius of a compromised account. Segment roles at minimum into: end user (make and receive calls, view own call history), team admin (manage team members, view team recordings), and system admin (modify routing, access billing, provision numbers). DialPhone supports granular RBAC with custom role definitions. Details are on the business phone product page.

SIP credential hygiene. SIP accounts have their own credentials separate from the web portal login. SIP passwords are often set at provisioning and never rotated. Require SIP credential rotation on a defined schedule — annually at minimum, quarterly for high-value accounts. Disable SIP accounts that are no longer in use rather than leaving them dormant.

Endpoint security (desk phones, softphones, BYOD)

The encrypted transport layer terminates at the endpoint. A compromised endpoint captures decrypted audio regardless of how strong the transport encryption is.

Desk phones. Hardware IP phones run embedded firmware. Unpatched firmware vulnerabilities have enabled remote root access on several major phone brands in the past five years. Establish a firmware update policy: receive vendor security advisories, test updates in staging, deploy within 30 days of release. Disable unused services on the phone (web server, telnet interface, unused protocols). Physically secure phones in common areas where a USB port could be used for a local attack.

Softphones and desktop clients. Softphone applications on employee laptops inherit the security posture of the laptop. A malware-infected laptop with a softphone installed can record decrypted audio at the application layer. Endpoint detection and response (EDR) coverage on all devices running softphones is not optional — it is part of the VoIP security perimeter.

BYOD policy. Personal devices used for business calls introduce the highest risk surface: unmanaged OS patch levels, personal apps with broad permissions, and no corporate EDR coverage. Options: prohibit BYOD for calls involving sensitive information, require mobile device management (MDM) enrollment before softphone installation, or use a web-based softphone in a browser with no local audio recording surface. Document the chosen policy and enforce it consistently.

What to ask your VoIP vendor before signing

The questions that separate adequately secured platforms from platforms that create liability:

1. Is TLS 1.2+ mandatory for SIP signaling, or optional? Mandatory is the only acceptable answer.
2. Is SRTP mandatory for media, or configurable? Mandatory is the only acceptable answer.
3. What STIR/SHAKEN attestation level do outbound calls receive? A-level is the target.
4. What is your SOC2 Type II audit scope — does it cover the VoIP platform specifically? Scope matters; a SOC2 for the corporate IT environment does not cover the call processing infrastructure unless explicitly included.
5. How quickly does anomaly detection flag potential toll fraud, and what is the automatic response? Hours is too slow; minutes is acceptable; real-time spend caps are best.
6. Is MFA mandatory for admin portal access? Mandatory, not optional.
7. What is your documented RTO and RPO for a regional outage? DialPhone’s documented failover achieves sub-minute failover across redundant regions, backing the 99.999% uptime SLA.
8. Can you provide a redlined BAA for our legal review? Any vendor that refuses to negotiate BAA terms for a healthcare customer is signaling that HIPAA compliance is not operationally real.

The DialPhone trust portal publishes current uptime SLA terms, audit certifications, and the security whitepaper available for download without NDA. For compliance documentation including the SOC2 report, see the compliance page.

VoIP protocol comparison table

Understanding which protocol handles which function helps evaluate vendor claims precisely.

Protocol	Transport	Port	Encrypts	Primary use case
SIP (plain)	UDP or TCP	5060	Nothing	Legacy call setup — insecure
SIP/TLS	TLS	5061	Signaling only	Encrypted call setup
RTP	UDP	10000–20000	Nothing	Voice audio — insecure
SRTP	UDP	10000–20000	Voice audio	Encrypted voice media
ZRTP	UDP	Same as SRTP	Voice audio (P2P)	Peer-to-peer encrypted calls
WebRTC (DTLS-SRTP)	DTLS + SRTP	Dynamic	Both signaling + media	Browser-based calls

The correct configuration for a secure cloud VoIP deployment is SIP/TLS on port 5061 for signaling and SRTP for media. A vendor that offers TLS but not SRTP leaves the actual voice audio unencrypted. Always ask about both layers independently.

ZRTP is a peer-to-peer encryption protocol developed by Phil Zimmermann (creator of PGP). Unlike SRTP, ZRTP does not require the server to manage encryption keys — the two endpoints negotiate a shared secret directly via a Diffie-Hellman exchange. This eliminates the risk of a compromised server key exposing call audio. ZRTP is more commonly seen in consumer-grade secure calling apps (Signal, ProtonPhone) than in enterprise CCaaS, but it appears in the feature sets of some on-premises PBX platforms (Asterisk, FreePBX) where endpoint-to-endpoint trust is a requirement.

Compliance requirements matrix

Security certifications and regulations impose overlapping requirements on VoIP infrastructure. This matrix maps which controls are mandatory versus recommended for each framework.

Regulation	Encryption required	Audit log required	BAA or DPA	Minimum certification
HIPAA (US healthcare)	Addressable — effectively required	Yes (45 CFR §164.312(b))	BAA required	SOC2 Type II recommended
PCI-DSS v4.0 (payments)	Yes (TLS 1.2+)	Yes (requirement 10)	No (but vendor scoping)	QSA assessment
SOX (financial reporting)	Yes (for financial data)	Yes	No	SOC1 Type II
GDPR (EU personal data)	Yes (Art. 32)	Yes (Art. 30 records)	DPA required	ISO 27001 common
CPNI (FCC, US carriers)	Transport security required	Access logging	No	FCC filing

For most US businesses: HIPAA + SOC2 Type II covers the broadest set of requirements. GDPR applies if you have EU customers. PCI-DSS applies if payment card data enters the call stream. It is common to have multiple frameworks in scope simultaneously — a healthcare practice that accepts card payments needs HIPAA + PCI-DSS controls on the same CCaaS platform.

6 common VoIP encryption failure modes

When VoIP calls are not fully encrypted in practice, the failure typically falls into one of these six categories:

1. TLS configured for signaling only, RTP left unencrypted. The call setup is secure but the voice audio travels in plaintext RTP. Any device on the network path can capture and replay audio. Fix: mandate SRTP in addition to TLS — both layers must be active.

2. Expired or misconfigured TLS certificate on the SBC. A session border controller with an expired or self-signed certificate causes endpoints to fall back to unencrypted SIP. Symptom: phones connect but show a certificate warning or silently fail TLS negotiation. Fix: automate certificate renewal (Let’s Encrypt or vendor-managed cert rotation).

3. Old TLS version (1.0 or 1.1) still accepted. TLS 1.0 and 1.1 are deprecated and vulnerable to POODLE and BEAST attacks. Vendors that accept TLS 1.0 for backward compatibility with legacy desk phones create a downgrade attack vector. Fix: configure the SBC to reject TLS below 1.2; replace legacy phones that cannot negotiate TLS 1.2+.

4. SRTP key exchange via SDES (unencrypted key in SDP). SDES (Session Description Protocol Security Descriptions) sends the SRTP encryption key in the SIP SDP body. If SIP signaling is not TLS-protected, the SRTP key is transmitted in plaintext, making SRTP protection trivially bypassable. Fix: require SIP/TLS to protect SDES key exchange, or use DTLS-SRTP (which negotiates keys in the DTLS handshake, independent of SIP signaling).

5. Softphone app on unmanaged BYOD device. Transport encryption terminates at the endpoint. A softphone running on a personal device with malware can capture decrypted audio at the application layer regardless of how strong the transport encryption is. Fix: MDM enrollment for any device running a softphone client, plus EDR coverage.

6. Desk phone firmware not updated. Unpatched IP phone firmware has been the source of multiple remote code execution vulnerabilities in the past four years (Grandstream, Yealink, Poly all have published CVEs). A compromised desk phone captures decrypted audio locally. Fix: firmware update policy with automated alerting for new security advisories; 30-day deployment window.

TLS/SRTP vs VPN: which protects what

Some IT teams use a VPN to secure remote VoIP calls. VPN and TLS/SRTP solve overlapping but distinct problems.

Scenario	TLS + SRTP	VPN
Protects voice audio on the wire	Yes (SRTP)	Yes (if traffic tunnels through VPN)
Protects SIP signaling	Yes (TLS)	Yes (if VPN includes SIP port)
Protects against compromised SBC	Partial (TLS verifies server cert)	No
Adds latency to VoIP calls	Minimal (under 5ms)	20–80ms on typical business VPN
Works on remote/cellular connections	Yes	Requires VPN client and connectivity
Required by HIPAA for voice	Yes (effectively)	Not explicitly

The key tradeoff: VPNs add 20–80ms of additional latency, which pushes total round-trip time above the 150ms threshold at which VoIP quality degrades noticeably. TLS + SRTP adds negligible latency because encryption happens at the application layer on the existing connection path. For most businesses, TLS + SRTP without VPN is the right architecture for VoIP. VPN is appropriate for protecting general internet traffic — it is not the right tool for low-latency voice encryption.

VoIP security implementation checklist

Use this checklist when evaluating a vendor or auditing an existing deployment.

Vendor-side verification (ask for documentation):

• TLS 1.2+ mandatory for SIP signaling (port 5061) — not optional
• SRTP mandatory for RTP media — not configurable off
• STIR/SHAKEN A-level attestation for outbound calls
• SOC2 Type II report (Type I is insufficient)
• Published subprocessor list naming all AI model providers
• Documented SBC rate limiting and DDoS mitigation

IT-side configuration (verify in admin portal):

• MFA mandatory for admin portal (not optional toggle)
• SSO integrated with corporate IdP (Okta, Entra, Google Workspace)
• RBAC: end-user, team-admin, system-admin roles separated
• Geographic call restrictions enabled for non-business destinations
• Per-account spend caps configured with alerting threshold
• SIP credential rotation policy documented and scheduled

Ongoing hygiene:

• Desk phone firmware update process defined, 30-day deployment window maximum
• Softphone version currency verified quarterly
• Annual SIP credential rotation for all accounts
• Security advisory subscription active for all hardware vendors in use

Related guides

• Best VoIP for Small Business 2026
• Business Phone AI Transcription
• Business Phone for Healthcare
• Cheap VoIP Service 2026
• Cloud Phone for Remote Teams
• DialPhone business phone
• DialPhone pricing

How We Tested

DialPhone re-verifies every comparison in this guide every 90 days. We pull pricing directly from each vendor’s public pricing page on the dates listed in the frontmatter (lastVerifiedAt or updatedAt). Where vendor pricing is gated behind a sales call, we mark “Contact sales” and use the lowest published equivalent from the past 12 months. Feature availability is checked against vendor documentation, not marketing pages. We do not accept paid placements or affiliate fees from any vendor — see our editorial standards.

What We Don’t Like

No platform is perfect, including DialPhone. Honest drawbacks based on user feedback and our own testing:

• Smaller integration catalog than RingCentral (~40 vs 200+). Niche vertical CRM integrations may require API work.
• Newer brand awareness. RingCentral and 8x8 have 15+ years of analyst coverage. Enterprise procurement reviews may take longer.
• Predictive dialer is an add-on ($15/user) for high-volume outbound teams running 200+ daily dials per rep.
• HIPAA BAA starts on Advanced tier ($34/user), not the $24 Core plan. Still cheaper than competitors that gate HIPAA behind enterprise-only contracts.

FAQ

VoIP security and encryption: frequently asked questions

Is VoIP secure for business use? +

Yes, when configured properly. A cloud VoIP platform with mandatory TLS 1.2+ for signaling and SRTP for media closes the primary eavesdropping vector. STIR/SHAKEN attestation prevents caller ID spoofing. The remaining risk is operational — compromised credentials, unpatched endpoints, weak access controls — not cryptographic. Verify that your vendor mandates encryption rather than making it optional, holds SOC2 Type II, and supports MFA for admin access.

What is the difference between TLS and SRTP in VoIP? +

TLS encrypts SIP signaling — the call setup messages that establish who is calling, who is being called, and what codecs to use. SRTP encrypts the actual voice audio transmitted over RTP. A VoIP platform can offer TLS without SRTP, leaving the audio stream unencrypted even though the call setup is protected. Both are required for full transport-layer security. Always ask vendors whether both are mandatory and default-on, not optional.

What is STIR/SHAKEN and why does it matter for business VoIP? +

STIR/SHAKEN is a carrier-level framework that cryptographically signs the caller ID on outbound calls. The terminating carrier validates the signature before delivering the call. Full (A-level) attestation means your carrier has verified you are authorized to use the number being presented. Without STIR/SHAKEN participation, your outbound calls are more likely to be flagged as spam likely on recipient devices, reducing answer rates and harming outbound call campaigns. The glossary entry at /glossary/stir-shaken covers the technical framework in full.

What is toll fraud and how do I prevent it? +

Toll fraud occurs when an attacker compromises a SIP account — usually through credential stuffing — and routes international calls through your system at your expense. Calls to premium-rate destinations can generate thousands of dollars in charges within minutes.

Prevention requires strong, unique SIP credentials, MFA on the admin portal, geographic call restrictions that block destinations you do not call, per-account spend caps, and real-time anomaly alerting that fires when call patterns deviate from baseline. DialPhone enforces spend thresholds and geographic restrictions at the account level.

What security certifications should a business VoIP vendor hold? +

SOC2 Type II is the minimum verifiable baseline for US businesses — Type II means controls were tested over an audit period, not just reviewed at a point in time. ISO 27001 covers a broader organizational scope and is commonly required by enterprise or European customers. If your business handles patient health information, a HIPAA Business Associate Agreement signed by the vendor is a legal requirement before routing any patient calls. DialPhone holds SOC2 Type II; the report is available on the compliance page.

Does VoIP work with MFA and SSO for business accounts? +

Yes. Enterprise cloud VoIP platforms support TOTP-based MFA for the admin portal and integrate with corporate identity providers via SAML 2.0 or OIDC for SSO. SSO integration means employee offboarding in your identity provider automatically revokes VoIP access — eliminating the window of orphaned access that manual offboarding creates. MFA should be mandatory rather than optional for any account that can modify routing or access call recordings.

How do I secure softphones and BYOD devices on a business VoIP system? +

Softphones on employee devices inherit the security posture of the host device. Require endpoint detection and response (EDR) coverage on all devices running softphone clients. For BYOD, the options are: prohibit use for sensitive calls, require MDM enrollment before softphone installation, or use a browser-based softphone that avoids local audio storage. Keep softphone application versions current — vendors regularly patch vulnerabilities in audio codec handling and SIP stack implementations. Pair with MFA for the softphone login separate from OS-level authentication.

Related reading

• Best AI business phone systems 2026: full comparison — vendor comparison including security certification matrix
• DialPhone security overview — encryption standards, incident response, and penetration test cadence
• SOC2 Type II compliance — current certification status and audit scope
• DialPhone business phone system — SRTP, TLS, MFA, and RBAC on every plan
• STIR/SHAKEN explained — caller ID attestation framework in plain language
• SIP trunking and failover architecture — how redundant SBCs back the 99.999% SLA
• Trust and compliance portal — uptime SLA terms, security whitepaper, and certification downloads

---

This guide reflects DialPhone platform capabilities as of May 2026. Security certifications and framework participation are subject to renewal cycles — verify current certification status at /company/compliance/soc2. For security disclosures or factual corrections: [email protected].