VoIP: SIP-over-TLS and sRTP: Zyxel Sphairon

A bit of Germany, a bit of Taiwan. One of the problems of these feature monsters is not only the number of software bugs, lack of expertise in Software Security and Software Usability, but the general lack of Computer Scientists. Not uncommonly, such devices are made by people who moved over from hardware and struggle to cope with current software now. Just an example: I found no way to use the device not as a router but as DHCP/IP client without NAT.

Last tested firmware downgrade to that version to re-enable sRTP
retested in May 2020 with


Password: printed at the bottom of the device
HTTPS: enabled on default
Update: Options → Expert view → System → Firmware Update
Trust Anchors: just Telekom Deutschland is built-in
SIP-URI Host: Telephony → VoIP Provider → New → Account domain
SIP-URI User: Telephony → Call Number → VoIP Numbers → New → Account name
SIP-over-TLS: Telephony → VoIP Provider → Edit → Protocol: TLS
requires firmware; after a firmware update, the device still uses TLS but cannot be changed anymore; new accounts offer UDP or TCP only
SDES-sRTP: Telephony → VoIP Provider → Edit → Call encryption VoSIP
which is RTP/SAVP; requires TLS to be set

Software Bugs

Dialing: on default, adds 00 before each dialed number
can be changed to ‘+’: Telephony → General → International call prefix. However, since firmware, the device requires an area code, why ever.
SHA-2 Digest: does not pick MD5, continues without header Authorization, therefore is not able to register; therefore incompatible with Linphone
Server TLS: when using the SIP B2BUA, only UDP but not TLS is offered
Signaling DiffServ: not CS5 but CS6; this is considered a bug and not just a bad default because no way was found to change this default (useful for the ITA mode, for example)


Bugs: SDES-sRTP key with reduced entropy (keys observed were digits: 0-9, every fifth byte is Null) fixed in Mar. 2019 with firmware
SIP-over-TLS without authentication (for generic accounts)
Cipher Suites include Anonymous fixed in Aug. 2019 with firmware
Responsible Disclosure: try E-mail, alternatively go via Deutsche Telekom CERT
Firmware Update: missing Newsletter
Mitigation: Router-FAQ


Model Range

Power Supply

12 V 3 A, Coaxial: 5.5 mm × 2.1 mm

back to the other phones.