More Secure Wireless Telephony with VoIP over Wi-Fi

In this post, I will explain why you should start to phase out DECT and how you can do this with VoIP (Voice over IP, also known as Internet telephony) over Wi-Fi. This guide allows you to attach several wireless devices to your landline and it permits calls among all telephones in your household. Moreover, the guide provides encrypted wireless communication, it uses off-the-shelf consumer products, and works worldwide. On the downside, the voice quality may be worse unless your router supports WMM (Wireless Multimedia Extensions) and you may need a WLAN repeater because DECT tends to have higher range than WLAN. (Surprisingly, the electronics markets in my vicinity offer dual-band WLAN repeaters with 600 MBit/s transfer rate fitting into a wall socket costing no more than the cheapest DECT repeater.) If so desired, you can continue to use your existing DECT phones but communication with these devices is not guaranteed to be encrypted.

You can follow this guide if you have

  • an account with an Internet telephony provider,
  • your Internet router is a Wi-Fi hotspot,
  • the Internet router manages your landline,
  • the Internet router allows wireless VoIP telephony using SIP, and
  • a mobile device with Wi-Fi as well Android, iOS, or Windows.

Why get rid of DECT?

If you have wireless landline telephone at home, then the mobile handset probably uses DECT (Digital Enhanced Cordless Operations) to communicate with its base station. Or not. Contrary to what I would hope for in a communications standard, implementing DECT does not guarantee interoperability between different devices. Basic interoperability is only ensured if the DECT devices implement GAP (Generic Access Profile) which allows you to make and receive calls but you cannot access the answering machine or the phone book if mobile handset and base station are from different manufacturers. Furthermore, there are severe security problems:

  • encryption is not mandatory,
  • most manufacturers do not publish if their devices support encryption or not,
  • the encryption standard for DECT (DECT Standard Cipher, DSC) is not publicly available, and
  • DSC was broken anyway.

Let me clarify the last statement because there are different definitions of a "broken cipher": DSC is so weak, there are tutorials on the Internet explaining how you can listen to your neighbor's phone calls (paper, tutorial, this is probably illegal where you are). In 2012, a new encryption standard based on the popular and secure cipher AES was published. Rest assured, your DECT phone does not implement it yet-most manufacturers do not disclose if they encrypt calls and after three years, the new encryption standard is still not part of GAP.

In conclusion, the inability to access basic telephony services like an answering machine without risking customer lock-in and the simplicity with which calls can be wiretapped make we want to replace DECT in my household.

VoIP over Wi-Fi with SIP

The underlying idea of this guide is to connect a mobile device over Wi-Fi to the Internet router and register the mobile device as a telephone device afterwards. This requires that you have Internet telephony and that your Internet router supports wireless VoIP phones using the Session Initiation Protocol (SIP).

First, we will connect your mobile device to your Internet router over Wi-Fi so ensure DHCP and Wi-Fi are enabled. Since we want to communicate securely, use WPA2-PSK with CCMP as Wi-Fi encryption and pick a long WPA2 key-you won't need to remember or type it again. To connect the mobile device to the Internet router, use one of the WPS methods available on both the Internet router and your mobile device (WPS PIN or WPS push button). As soon as your mobile device is connected to your WLAN, check that you connected the mobile device to your WLAN by comparing the network names (SSID). Disable WPS for security reasons afterwards.

Next, install a SIP client on your mobile device. If you have an Android smartphone, there is a built-in SIP client since Android 2.3 (Gingerbread). Otherwise you can find many SIP clients in the Google Play Store, the Apple App Store, or the Windows Store, respectively. Note that you do not need a full-fledged phone; you need a device with a microphone and loudspeakers.

Third, register your mobile device on your Internet router as a telephone device. If your router uses SIP to communicate with the VoIP provider, then the router should list a username, a password, and an URL for a "server" or "registrar". Start the SIP client on your mobile device and fill in the credentials shown by the router.

Your mobile device should be able to make and receive landline telephone calls now. As a small bonus, my mobile device shows if there are new voice messages on the answering machine integrated into the Internet router.

If your VoIP provider exposes the addresses of its VoIP servers, you can directly connect to these servers after establishing WLAN connectivity (so-called Wi-Fi calling).

Extending the Range of your Wi-Fi Network

Compared to DECT, Wi-Fi networks often have a shorter range and thus it may be necessary to enhance the range of your WLAN. To this end, you can use WLAN repeaters or a spare router. I will compactly present the latter option now based on the detailed instructions found at

Before extending the range of your home WLAN, reset the spare router and update its firmware. Also, check if the spare router supports the same encryption method as the Internet router (WPA2-PSK with CCMP); if it doesn't, then you cannot use it to extend the range of your WLAN. Moreover, I assume your router shows the WPA2 key in clear if desired.

Open the web interface of the Internet router and take a at look the Wi-Fi settings; remember the network name (SSID), the password (copy this to the clipboard), and the radio channel currently in use. Now open the web interface of your spare router; enable Wi-Fi using the network name (SSID) written down earlier. Also disable DHCP, disable WPS, enable Wi-Fi encryption (WPA2-PSK with CCMP), and paste the WPA2 key from the clipboard. In order to allow an uninterrupted transition between the two Wi-Fi hotspots, you need to ensure that the spare router and the Internet router communicate over different channels so compare these values and adjust the spare router settings if necessary. Lastly, remove the WPA2 key from your clipboard. Now there should be no interruptions during landline calls if there is a transitition from one Wi-Fi hotspot to the other.

Remarks on Security

Most routers allow disabling the SSID beacon but this is not enhancing security because some Wi-Fi clients will continuously broadcast the network name in a vain attempt to connect to your home WLAN thereby announcing the existence of your "hidden" wireless network to the world. Moreover, disabling the SSID broadcast is not part of the IEEE 802.11 standard and some devices do not automatically connect to such WLANs, e.g., Android devices.

Note your data is only guaranteed to be encrypted between the your Wi-Fi hotspots and the mobile devices connected to them over WLAN. If you are interested in end-to-end encryption, you should use a softphone with built-in encryption or VoIP over VPN (virtual private network).

Why does it work?

IEEE 802.11 is a standard for wireless LANs commonly found under the trademark name Wi-Fi. The standard provides secure communication and it is freely available for personal use from the IEEE website. The Wi-Fi label ensures standards compliance, interoperability, and backwards compatibility of all certified devices. Most importantly, Wi-Fi is at least as ubiquitous as DECT and all smartphones and tablets I am aware of feature Wi-Fi.

The Session Initiation Protocol (SIP) is a communication protocol for multimedia communication including VoIP. The most recent version SIP 2.0 is standardized as RFC 3261. SIP itself does not transport media data, instead it relies on a host of other protocols. SIP worked for me out of the box so I did not delve into the intrinsics of the underlying media protocols and codecs.