Is a VOIP device on a Home LAN a security risk ?

I have used VOIP for a number of years, (via a Gigaset N300A and Gigaset phones), and the system works well via two separate VOIP providers, (Sipgate and Voipify).

However, I have a minor concern that the Gigaset N300a is on my Home LAN Network which means that other Devices on my Home LAN can access it and presumably visa versa. - (Obviously, I changed the N300a access password when I installed it so it has some password protection).

Is this a potential backdoor into my Home LAN ?

If I just used the ISA provided router I would not really have a choice, (without using additional ethernet port switch equipment), especially since the Gigaset N300a only has an ethernet connection but I have my own router so I do have a choice and I know how it can be done.

ie. On my own router I already have a WIFI Guest Network to isolate certain WIFI Devices from any devices on my Home LAN and yesterday I set up Ethernet Port 4 on my own router to be a VLAN Ethernet Port that is on my Guest WIFI Network and not on my Home LAN.

Is any of this necessary ?

Is a VOIP device on the home ethernet network a potential security risk ?

If so, what about Smart TVs ?

In reply to a post by Fido:

Is a VOIP device on the home ethernet network a potential security risk ?

If so, what about Smart TVs ?

I have used Voip for the past 10 years I have not encountered and security problems. One advantage is that the end point can be portable. Some Voip ISPs will ring more than one registered device for incoming calls.

I too have happily used VOIP for some years and I like the system.

Attached to my Gigaset N300a are six C575A Gigaset Phones that ring when calls are received and unused handsets can also ring when additional calls are received on my second VOIP Account so operation wise the VOIP System is great.

The query is about any potential security risk of VOIP devices being located on the routers Home LAN Network and the fact that if it is located on the Main Home LAN this means that it is on the same LAN as other devices that access internet banking etc.

Maybe this could never be a concern but if it is not ever a concern then why not?

The N300a does have a password but it is just a 4 digit numeric code number which is normal for VOIP but which may not be ideal from a Home LAN security viewpoint.

I do not know and that is why I asked the question.

As I said; I have already set up a VLAN on ethernet port 4 of my Asus RT-AX88U Pro Router and this VLAN is attached to my main WIFI Guest Network so it is isolated from the Main Home LAN Network but is this really necessary or even recommended for VOIP devices ?

On a separate issue; last year we bought a new all singing/dancing Cannon Printer/Scanner that actually works great as a device but in order to use the Cannon Software for it, we needed to agree to Cannon T&C that seemed to allow Cannon far more access to my personal information and my devices than I was comfortable with; so I located this Cannon Printer/Scanner on my Guest WIFI Network which means that my other devices need to login to my Guest WIFI in order to access the Cannon Printer/Scanner (which is a slight hassle) but it restricts its access to my Main LAN Network Devices.

Perhaps, I am being too cautious.

You can never be too cautious about security.

I'm using an N300A here with Gigaset handsets. I've got a Draytek router here so have set it up on a separate router port not used with anything else and given that port its own subnet numbering.

I vaguely remember some security issues around VoIP a number of years ago, but that was at the supplier level not the user level. I think it was about others gaining access to the system and making lots of expensive calls. Nowadays most providers allow you to set a maximumcharging limit on the account.

Generally speaking if you can't setup its own subnet then putting it on the Guest network is a good idea.
And yes, printers have historically been known as weak links in these networks.

Well in some ways I am pleased that I am not alone.

As I understand it; if we were just using the router that was supplied by the ISP, (in my case BT who provide a SH2), that would limit the options available to us, (if we did not add a Heath Robinson System of manager ethernet switches to the networks or a third party router behind the ISP Supplied Router), but since we use our own routers we have choices that are easier to adopt.

The potential problem may not just be limited to the VOIP System Devices and printers as can be seen from the attached link;

https://solutionsreview.com/wireless-network/wireles...

In some ways the potential problem, (if a recognised potential problem does actually exist), could be quite large in that there are many ethernet devices that have weak security and since our own house was fully wired up with Cat6A Ethernet Cabling some years ago we may be better off just putting all of the ethernet items in the whole house onto one IoT (Internet of Things) Network and keep the main WIFI Network separate for more security conscious devices which does seem counter intuitive but with a house already fully wired for with Cat6A Ethernet it may be a good policy.

The additional devices that I am slightly concerned about are;

(1). The Hive Heating Control System.

(2). The Smart TVs.

(3). The BSkyB Sky Q Boxes.

(4). The Xbox/s.

(5). etc.

Are any of the above devices potential security risks?

I suspect that most Third Party Routers will give their owners options: do not know a lot about the Draytek Router, (even though it has a good reputation) but the Asus RT-AX88U Pro offers large number of Guest Menu options including what it calls an IoT Network.

The N300A and the Cannon Printer/Scanner will definitely stay isolated but I am not sure how to proceed regarding the other devices listed above and a separate ethernet IoT Network for all these devices may be the best way forward. - I do not know.

Hi Folks,
As an ex- professional paranoid, I have been using Gigaset systems for decades - they work fine. As mentioned, the base station only has a four digit PIN to protect the settings on its web page (and only works with HTTP, so web connections with it are insecure). But ... why on earth would you make that web page accessible outside your local LAN? That would be unwise, so don't do it.
The DECT phones themselves do not use local IP network connections, so they are not a problem -- they only talk to the DECT base station using DECT radio signals (and those are protected using DECT's own point to point encryption). If you're a target for governments, worry about that -- otherwise the DECT radio side of things is not reaally an issue.
[Some DECT phones can also connect to bluetooth headsets, but again that's purely point-to-point between the phone and the paired headset and does not use the local IP network]
I AssUMe that your router is set up to block incoming IP connections and allow all outgoing IP connectioins -- that tends to be the default for most ISP-supplied routers. If not, really consider that, as that's your main problem.
If it IS set to block incoming IP connections, you should set a static local IP address for the base station, and you will have to set up port forwarding rules to allow just what's needed for SIP registration & VoIP calls. I set the DECT base station to use fixed port for SIP, and use a fixed range of ports for audio (RTP), make a note of those, and set the matchiing port forwarding rules in the router.
Note: I do NOT set port forwarding rules for port 80 (i.e., the base station's web page) to the DECT base station, so nothing outside the local IP network can see that page. For SIP registration & for VoIP calls, you only need SIP & RTP ports to be "visible" to the outside world, which the port forwarding rules you have set up will allow.
The remaining issues are:
- do you trust devices on your local IP network? That's a whole different question, so it's "left as an exercise for the student"
- in principle, any remote devices could attempt to make incoming VoIP calls to your DECT system -- not just your VoIP provider. To be honest, that's not really a problem for most people; the fashion for SPIT/lawnmower attacks went away years ago so it doesn't really happen any more. The Gigaset base stations are pretty simple, so remote attempts to SIP register with them will fail -- they just don't support that.
all the best, Lawrence

It depends on your threat model. What about your security relies on maintaining the network edge as the boundary between trusted and untrusted?

In reply to a post by jpm:

It depends on your threat model. What about your security relies on maintaining the network edge as the boundary between trusted and untrusted?

What threat model should I have ?

My router has a hardware firewall with Trend AI Network Protection fully Enabled and on my main browsing devices I use Kaspersky Premium.

I would like to say that I am well up on internet security and that I have a well thought out threat model but I am not and I don't.

Regarding internet security, I count myself as a just home user with very limited knowledge but I can normally find my way around electrical/electronic devices and could repair the hardware on them when I was younger.

Using Shields Up my home internet set up seems to be stealthed.

When I set my Nord VPN to another area, (to change my IP address from that used by my router), I could not access the Home LAN IP address of my N300A but I suspect that if I had spoofed it to my to my router IP address that it may have been accessible but I do not know.

I know that at least one device on my Home Lan Network seems to be accessible from the internet. ie. The Hive Heating Control System as when I set my Nord VPN to another area my Hive Control System is still accessible from so I plan to move that to a VLAN Port but I do not know if this is needed or not.

Should The Hive Heating Control System, The Smart TVs. The BSkyB Sky Q Boxes or The Xbox/s be considered as being potential security risks?

Edited by Fido (Sat 07-Feb-26 19:48:30)

@Fido,

IMHO, I would NOT use ANYTHING from Kaspersky as they are a RUSSIAN company and you could be, possibly, allowing Russia to gain access to UK networks. You should use a UK based suite that can allow you to feel safe on your main browsing device.

HTH,

In reply to a post by mking90031:

IMHO, I would NOT use ANYTHING from Kaspersky as they are a RUSSIAN company and you could be, possibly, allowing Russia to gain access to UK networks. You should use a UK based suite that can allow you to feel safe on your main browsing device.

This is a separate issue and it is not totally relevant to this thread but thank you for reminding us about the links between Kaspersky and Russia.

FWIW, I have used Kaspersky for over 10 years without any issues so they already have my info and since I bought about four years of Kaspersky Premium 10 devices licenses when they were cheap in the sales I already have the licences so I may as well use them.

That said; A few years ago, (due to the actions of Russia in Ukraine and the reported links between Kaspersky and Russia), I bought Norton 360 instead but Norton was rubbish.

https://forums.thinkbroadband.com/security/f/4733444...

Worst than that Norton destroyed the Windows 10 Operating System Restore Points when it was installed so I could not revert the PC back to where it was before Norton was installed and I had to carry out a clean install of the Windows 10 Operating System after Norton was removed to get the PC working properly again.

Using the Kaspersky removal tool at least Kaspersky can be removed without causing PC issues.

I already had a few years of Kaspersky Premium 10 devices that I had bought in the sales and I still have another 12 months left so I will keep using Kaspersky for the next 12 months.

I considered Bitdefender but that is from Romania which is probably as bad as Russia.

My only beef with Kaspersky is regarding the actions of Russia in Ukraine but since I still have licences bought years ago so I and not buying new licenses and putting new money into their accounts.