Security Issues in VOIP
Practical VOIP (IK2554)
Waqas Daar (email@example.com)
KTH, Royal Institute of Technology
Voice over IP is a technology that is used to transmitt voice
from Packet switched network to Circuit swtiched network and
VOIP popularity is growing day by day.
• Cost Reduction
• Offering services like audio video conferencing, Instant
VOIP technology is used to establish and managing
communication sessions for transmission of audio or video over
VOIP signaling protocols are used to setup, tear down calls,
carry information required to locate users, and negotiate
• Session Initiation Protocol (SIP)
H.323 is the ITU-T standard for audio and video transmission
over packet base network. H.323 was initially targeted
multimedia conferencing over LAN.
H.323 is an umbrella protocol, which contains several other
H.323 uses Real Time Protocol (RTP) for media transmission.
H.323 network elemets
• H.323 terminal end points (TE)
• H.323 Gatekeeper (GK)
• H.323 Gateway (GW)
• H.323 Multi Control Unit (MCU)
H.323 network consist of a number of zones and each zone
must contain a H.323 Gatekeeper(GK).
H.323 Call Model
Figure 2 H.323 Call Model 
Session Initiation Protocol (SIP)
SIP is an application layer protocol, which is used to establish,
maintain and terminate multimedia session.
SIP is a text base protocol.
SIP uses Session Description Protocol (SDP) for setting up
parameters for actual media transmission.
RTP is used for actual media transmission.
Two general categories of SIP are
• User Agent (UA)
• SIP User Agent Client
• SIP User Agent Server
• SIP Servers
• Proxy Server
• Redirect Server
• Registrar Server
Denial of Service
VOIP Threats (cont,)
Denial of Service
• Suffers availability of VOIP system.
• In VOIP eavesdropping is a type of an attack, if an attacker able to
eavesdropp a communication. Then he can launch different type of
an attack like Man in the Middle attack etc.
Signaling Layer Attacks
• SIP Registration Hijacking
• Impersonating a Server
• SIP Message Modification
• SIP Cancel / SIP BYE attack
• SIP DOS attack
Media Layer Attacks
• RTP insertion attack
• SSRC collision attacks
Signaling Layer Attacks
SIP Registration attack
• Attacker impersonates a valid UA to a registrar himself as a valid user
agent. so attacker can recieve calls for a legitmate user.
Impersonating a Server
• When an attacker impersonates a remote server and user agent request
are served by the attacker machine.
SIP Message Modification
• If an attacker launches a man in the middle attack and modify a message.
Then attacker could lead the caller to connect to malicious system.
SIP CANCEL / SIP BYE
SIP Denial of Service
• In SIP attacker creates a bogus request that contained a fake IP address
and Via field in the SIP header contains the identity of the target host.
Media Layer Attaks
• If an attacker eavesdropp the conversation and uses one’s peer SSRC to
send RTP packet to other peer, it causes to terminate a session.
Two types of security solutions
• End-toEnd security
• In SIP end points can ensure end-to-end security to those messages
which proxy does not read, like SDP messages could be protected
• Media is transferred directly, so end-to-end security is achieved by
• Hop-by-hop security
• TLS, IPSec.
Authentication means to identify a person.
If we take SIP as signaling protocol in VOIP, it defines two
mechanisim for authentication
• HTTP digest authentication
HTTP Digest Authentication
• HTTP digest mechanisim used between users to proxies, users to
users but not between proxies to proxies.
• S/MIME uses X.509 certificates to authenitcate end users in the
same way that web browsers uses them.
Confidentiality is a term defined to make communication
session private. Confidentiality is achieved by encryption.
Two ways of achieving
• Tranport Layer Security (TLS)
IPSec uses to protect SIP messages at network layer. IPSec
Encapsulation Protocol (ESP) or Authentication Header (AH)
must provide confidentiality on hop-by-hop basis.
TLS provide transport layer security over TCP. Normally SIP
URI is in the form of sip:firstname.lastname@example.org, but if we are using
TLS then SIP URI will be sips:email@example.com and signaling
must be send encrypted.
In VOIP media is send directly between users using RTP.
Encryption of media is achieved by
• Secure RTP (SRTP)
• It provides a framework for encryption and message authentication of RTP
• Cipher Algorithum: AES
• Authenitcation is an optional feature.
• SRTP uses Security Description for Media Streams (SDES) algorithum to
negotiate session keys in SDP.
• Mikkey provides its own authentication and integrity mechanisim.
• Mikkey messages carried in a SDP with a=key-mgmt attritbute.
• ZRTP also describes an extension header for RTP to establish a
session key for SRTP.