Skip navigation

VoIP Threats

VoIP systems are highly susceptible to outside attacks, according to the SANS Institutes's 2006 list of Top-20 Internet Security Attack Targets . The list, released Nov. 16th 2006, is an annual breakdown of the the Internet's most attacked targets, and covers everything from operating systems and network devices to security policies. Like any other IP service, applications and services based on SIP and its associated media protocols are vulnerable to attacks and intrusions, including but certainly not limited to:


Denial of Service: A Denial of Service (DoS) attack is designed to disable or disrupt VoIP service delivery. DoS attacks can attempt to crash the VoIP system by sending malformed packets or to exhaust resources by flooding the service with properly formed packets until it can no longer process legitimate requests. In a SIP environment, DoS attacks can occur either at the transport level (e.g. TCP connection - or “SYN” - floods) and/or at the application level (e.g. “REGISTER” or “INVITE” floods). At the application level DoS attacks can be directed at either the signaling channel (SIP) or the media channel (RTP). Signaling DOS flood attacks bombard the service with call invitation and registration requests, while media DOS flood attacks send large volumes of call data. In either case without adequate protection legitimate users will be unable to place calls.

Theft of Service: Theft of services is the legal term for a crime which is committed when a person obtains services without lawfully compensating the provider. In general today's VoIP networks do not offer as high a level of security as as web or email applications and consequently, they are more vulnerable to theft-of-service attacks and bandwidth-stealing. In short service theft arises when providers fail to validate the identities of users and domains cryptographically. Bandwidth theft occurs when providers fail to enforce media validation. Media validation ensures that media sessions between SIP user agents are the same as those negotiated during the session set-up. This prevents attacks that exploit the independence of SIP signaling and media channels.


Interception or Eavesdropping: Because most VoIP traffic is transmitted unencrypted it is susceptible to eavesdropping by unauthorized persons anywhere along the transmission path. An attacker can use common packet sniffers to capture the packets. Once captured the packets can be converted into wave files and then later replayed to obtain sensitive business or personal information. Eavesdropping can provide attackers with the user identities, PINs, and SIP phone numbers required for identity theft.

Spoofing: A spoofing attack is a situation in which one person or program successfully masquerades as another. An example is the man in the middle attack, in which an attacker spoofs Alice into believing he's Bob, and spoofs Bob into believing he's Alice, thus gaining access to all messages.

Call Integrity or Media Injection: Attackers can corrupt conversations by intercepting RTP packets, altering the contents by injecting speech or delay into the call and forwarding the modified packets to the original recipient. Depending on the software used to generate the speech, the attacker can create speech patterns which approximate the sender’s voice.

Viruses: VoIP phones can fall victim to viruses ("Phone Flu") designed to disrupt service by rebooting or clearing the phone’s configuration information. Viruses can also affect VoIP servers since most of them run on common operating systems. VoIP account information can also be compromised by viruses that target call controller back-end databases.

Covergence Session Manager is purpose-built to secure SIP applications without sacrificing performance or quality of service. Designed for use in both service provider and enterprise environments, Eclipse provides comprehensive protection and a single point of security control, enforcement and monitoring for all SIP-signaled applications.


Covergence Session Manager makes SIP secure.