VoIP Threat Taxonomy

Chapter Description

This chapter categorizes the main threats against VoIP service (threats against availability, confidentiality, integrity, and social context) and explains their impact and possible methods of protection.

From the Book

Voice over IP Security

Voice over IP Security


Threats Against Confidentiality

Another category of VoIP threat is the threat against confidentiality.

Unlike the service interruptions in the previous section, threats against confidentiality do not impact current communications generally, but provide an unauthorized means of capturing media, identities, patterns, and credentials that are used for subsequent unauthorized connections or other deceptive practices.

VoIP transactions are mostly exposed to the confidentiality threat because most VoIP service does not provide full confidentiality (both signal and media) end-to-end. In fact, full encryption of message headers is not possible because intermediary servers (for example, SIP proxy server) have to look at the headers to route the call. In some cases, the servers have to insert some information into the header (for example, Via header in SIP) as the protocol is designed.

This section introduces the most popular types of confidentiality threats: eavesdropping media, call pattern tracking, data mining, and reconstruction.

Eavesdropping Media

Eavesdropping on someone's conversation has been a popular threat since telecommunication service started a long time ago, even though the methods of eavesdropping are different between legacy phone systems and VoIP systems.

In VoIP, an attacker uses two methods typically. One is sniffing media packets in the same broadcasting domain as a target user's, or on the same path as the media. The other is compromising an access device (for example, Layer 2 switch) and forwarding (duplicating) the target media to an attacker's device.

The media can be voice-only or integrated with video, text, fax, or image. Figure 2-6 illustrates these cases.

Figure 2-6

Figure 2-6 Eavesdropping Media

In Figure 2-6, the attacker's device that is in the same broadcasting domain as the IP phone of User A can capture all signals and media through the hub. This figure also shows the possibility that the attacker intrudes in a switch or router, and configures a monitoring port for voice VLAN, and forwards (duplicates) the media to the attacker's capturing device.

Another possible way of eavesdropping media is that an attacker taps the same path as the media itself, which is similar to legacy tapping technique on PSTN. For example, the attacker has access to the T1 itself and physically splits the T1 into two signals.

Although this technique is targeting media, the next method (call pattern tracking) is targeting signal information.

Call Pattern Tracking

Call pattern tracking is the unauthorized analysis of VoIP traffic from or to any specific nodes or network so that an attacker may find a potential target device, access information (IP/port), protocol, or vulnerability of network. It could also be useful for traffic analysis—knowing who called who, and when. For example, knowing that a company's CEO and CFO have been calling the CEO and CFO of another company could indicate that an acquisition is under way. For another example, knowing that a CEO called her stockbroker immediately after meeting with someone with insider stock knowledge is useful. That is, this is useful for learning about people and information.

To show an example of unauthorized analysis, sample messages that an attacker may capture in the middle of a network are illustrated in Example 2-2. It shows simple SIP request (INVITE) and response (200 OK) messages, but an attacker can extract a great deal of information from them by analyzing the protocol (key fields are highlighted).

Example 2-2. Exposed Information from SIP Messages

INVITE sip:9252226543@ SIP/2.0
Via: SIP/2.0/UDP;branch=z9hG4bK00002000005
From: Alice <sip:4085251111@>;tag=2345
To: Bob <sip:9252226543@>
Call-Id: 9252226543-0001
Contact: <sip:4085251111@>
Expires: 1200
Max-Forwards: 70
Content-Type: application/sdp
Content-Length: 143

Session Description Protocol Version (v): = 0
Owner/Creator, Session Id (o): 2 2 2 IN IP4
Session Name (s): Session SDP
Connection Information (c): IN IP4
Media Description, name and address (m): audio 9876 RTP/AVP 0 8 18
Media Attribute (a): rtpmap:0 PCMU/8000
Media Attribute (a): rtpmap:8 PCMA/8000
Media Attribute (a): rtpmap:18 G729a/8000

SIP/2.0 200 OK
Via: SIP/2.0/UDP;branch=z9hG4bK00002000005
From: Alice <sip:4085251111@>;tag=2345
To: Bob <sip:9252226543@>;tag=4567
Call-Id: 9252226543-0001
Contact: <sip:9252226543@>
Content-Type: application/sdp
Content-Length: 131

Session Description Protocol Version (v): = 0
Owner/Creator, Session Id (o): 2 2 2 IN IP4
Session Name (s): Session SDP
Connection Information (c): IN IP4
Media Description, name and address (m): audio 20000 RTP/AVP 18
Media Attribute (a): rtpmap:18 G729a/8000

The following list shows sample information that the attacker may extract from Example 2-2:

  • The IP address of the SIP proxy server is, and the listening port is 5060.
  • They use User Datagram Protocol (UDP) packets for signaling without any encryption, such as Transport Layer Security (TLS) or Secure Multipurpose Internet Mail Extension (S/MIME).
  • The proxy server does not require authentication for a call request.
  • The caller (Alice), who has a phone number 4085251111, makes a call to Bob at 9252226543.
  • The IP address of Alice's phone is and a media gateway is (supposing that the call goes to PSTN).
  • The media gateway opens a UDP port, 20000, to receive Real-time Transport Protocol (RTP) stream from Alice's phone.
  • The media gateway accepts only G.729a codec (Alice's phone offered G.711a, G.711u, and G.729a initially).

The information just presented can be used for future attacks, such as DoS attack on the proxy server or the media gateway.

Data Mining

Like email spammers who collect email addresses from various sources like web pages or address books, VoIP spammers also collect user information like phone numbers from intercepted messages, which is one example of data mining.

The general meaning of data mining in VoIP is the unauthorized collection of identifiers that could be user name, phone number, password, URL, email address, strings or any other identifiers that represent phones, server nodes, parties, or organizations on the network. In Example 2-2, you can see that kind of information from the messages.

An attacker utilizes the information for subsequent unauthorized connections such as:

  • Toll fraud calls
  • Spam calls (for example, voice, Instant Messaging [IM], presence spam)
  • Service interruptions (for example, call flooding, call hijacking, and call teardown)
  • Phishing (identity fraud; see the section "Threats Against Social Context" for more information)

With valid identities, attackers could have a better chance to interrupt service by sending many different types of malicious messages. Many servers reject all messages, except registration, unless the endpoint is registered.


Reconstruction means any unauthorized reconstruction of voice, video, fax, text, or presence information after capturing the signals or media between parties. The reconstruction includes monitoring, recording, interpretation, recognition, and extraction of any type of communications without the consent of all parties. A few examples are as follows:

  • Decode credentials encrypted by a particular protocol.
  • Extract dual-tone multifrequency (DTMF) tones from recorded conversations.
  • Extract fax images from converged communications (voice and fax).
  • Interpret the mechanism of assigning session keys between parties.

These reconstructions do not affect current communications, but they are utilized for future attacks or other deceptive practices.

In this section so far, you have learned about threats against confidentiality such as eavesdropping media, call pattern tracking, data mining, and reconstruction. The next section covers another type of threats: breaking message and media integrity.

3. Threats Against Integrity | Next Section Previous Section