[Update March 8: It seems this service is no longer working, starting yesterday evening. sigh. I was hoping to see the security bugs patched up, not for the service to be pulled down again like it was in early 2009. Please, Google Voice people, throw us a bone here and let us know what's really going on for once!]
[Update 2, March 8: Some folks such as Dan York can still use the SIP-to-GV calling feature as of this writing. I'm jealous. <grin>]
[Update, March 15: Aaaaaaand, we're back. It appears that most, if not all, GV numbers are accepting SIP calls again as noted below.]
[Update, March 16: And it's down again. I think the number of blogs covering this quiet feature of GV, and the quickness with which the up/down reports are coming in, demonstrates that there are a lot of users interested in GV integration with SIP. At this time, I would guess that this inbound calling feature will eventually become official, but the "when" is anyone's guess.]
On the heels of my frustration-induced post from yesterday about Gizmo5's demise (also covered by Engadget), I did some digging this morning and made a few discoveries.
I should have known better than to come to snap judgment. Granted, Google's communication of Gizmo5's shutdown was badly phrased — implying Gmail-only (or Gmail-compatible, i.e., libjingle) access to be the only future path — it seems there is more to come on the SIP interoperability front.
While today's discovery does not indicate official support for any SIP services yet, and doesn't address all of the points in my previous post, it hints at future SIP-compliant support. One front where Google needs serious improvement: communicating useful hints about upcoming, unreleased features to keep the tech-savvy folks interested when an in-use product is being shut down.
Over at Engadget, commenter mscdex reminded me of a hostname I had heard about late last year: sip.voice.google.com. When I first heard about it, I played with it for a while, and like other users (see post by xkashmirix), could not get it to do anything at all. This morning, something different happened. I first considered holding off on posting about this because it contains a bad security hole that was discovered when this functionality was unintentionally exposed in early 2009. But, no one else has mentioned it recently, so it's time to get the hole fixed for good.
Curious to try out sip.voice.google.com again, this morning I fired up Linphone. I tried registering with sip.voice.google.com using a couple dozen different forms of SIP address and my password (as well as an application-specific password with another Google Voice account secured by 2-step auth); none succeeded. I let that go for now, and thought that perhaps it would be possible to call into my Google Voice account via SIP. So, I switched Linphone to my Gizmo5 account, and assuming that "NPA" is my area code and "NXXXXXX" my 7-digit number, I tried combinations that I had attempted back in December without success:
sip:NPANXXXXXX@sip.voice.google.com ... error.
sip:1NPANXXXXXX@sip.voice.google.com ... error.
sip:+1NPANXXXXXX@sip.voice.google.com ... and my cell phone rang.
I was excited and answered the phone. Audio went through in both directions. It worked! So, I thought, I called from a Gizmo5 account linked to my Google Voice account; maybe that's why it worked. I tried calling my partner's Google Voice number, and... his cell phone rang.
Sure that this was because I was calling from Gizmo5, and not because this was generally available to the public, I set up a forwarding account with a free PSTN-to-VoIP gateway service very familiar to technical VoIP users. I called it from my cell phone. My Google Voice voicemail answered with the custom greeting I created for calls from my cell phone.
Not only did the call go through, but it also correctly passed Caller ID. Hm, maybe this is intended to be a publicly available service soon? I pressed star (*) during the voicemail greeting, and my heart sank. I was asked for my (4-digit) PIN.
The problem here is obvious to anyone knowledgeable about VoIP: a four-digit PIN does not take long to hack by machine, since redialing can be a very fast operation. It could be that some safeguards are in place that prevent machine hacks of the PIN (I'd have to try the hack to know for sure), but I've always felt a bit uneasy about only 4 digits guarding my voicemail and dial-out credit. Hope as I might, Google Voice has yet to release the ability to use more digits for a PIN, or even a setting to disallow telephone-based access to at least dial-out.
This also indicates that the previous issue noted at Voxzilla remains, meaning that all Google Voice users should immediately set all their forwarding phones' "Direct access to voicemail" option to NO (you know, for those of you who haven't already, after hearing about similar voicemail hacks used against, or even by celebrities). Doubly unfortunately, this setting is hidden by "Show advanced settings" in the forwarding phone setup, and last I checked, it still defaults to "Yes" for newly added mobile phones.
To sum it up: The good news is, you can now call Google Voice numbers directly from SIP using the pattern +1NPANXXXXXX@sip.voice.google.com. This is a major step forward. The bad news is, it makes known security hacks easier.
The three questions I raised in my previous post are still up in the air. While my specific desire (a SIP account as a forwarding phone) is known not to be working, it's possible that a standard SIP client could connect to sip.voice.google.com — if someone happens to figure out how to login to that [cough]ed thing.
Happy calling!
