This purpose of this article is to discuss two of the most well known attacks that can be carried out in current VoIP deployments. The first attack demonstrates the ability to hijack a user's VoIP Subscription and subsequent communications. The second attack looks at the ability to eavesdrop in to VoIP communications. Although VoIP is implemented using various signaling protocols, this article focuses on attacks associated with the SIP (Session Initiation Protocol), an IETF standard (RFC 3261). The two attacks, among others such as DoS, have been discussed in various research papers but they haven't been acknowledged publicly as active attacks.

Industry experts believe that these attacks will become more apparent with the wider adoption and understanding of VoIP. The next section provides a brief introduction to the SIP protocol which is used to set up and tear down Internet multimedia sessions (including VoIP). The later sections of this article focus on user registration or session hijacking.

Quick introduction to SIP

Figure 1. SIP Call Setup and tear down.

In step 1, the user's device (called a User Agent in SIP terminology) registers with the domain registrar who is responsible for maintaining a database of records of all subscribers for the respective domain. User registration in VoIP is necessary because it provides the means to locate and contact a remote party. When Bob wants to contact Alice, he will send an INVITE request to a proxy server. Proxy servers are responsible for routing SIP messages and locating subscribers. When the proxy server receives an INVITE request, it attempts to locate the called party and relay progress to the caller by performing a number of steps, such as DNS lookups and the routing of various SIP messages (provisional and informational ). The step that is impacted by registration hijacking, as we will see shortly, is during the device registration in step 1 of this figure.

Registration Hijacking

Figure 2. REGISTER Request.

The REGISTER request contains the Contact: header which indicates the IP address of the user's device (for either a VoIP soft or hard phone). When a proxy receives a request to process an incoming call (an INVITE), it will perform a lookup to identify where the respective user can be contacted. In this case, the user with the phone number 201-853-0102 can be reached at IP address 192.168.94.70. The proxy will forward the INVITE request to that IP address. The reader may notice that the advertised port is 5061. This port is reserved for SIPS and in this popular implementation it is actually in violation [ref 1] of RFC 3261.

The following Figure 3 displays a modified version of the REGISTER request that is sent by the attacker.

Figure 3. A modified version of the REGISTER request.

In this request, all the message headers and parameters remain the same except for the parameters in the Contact header. The information that has been changed in the Contact header is the IP address (192.168.1.3) which points to the attacker's device. The REGISTER request is sent to the SIP Registrar at 192.168.1.2. The tool that was used to generate this request is SiVuS [ref 2] which is demonstrated below in Figure 4.

Figure 4. SIP Registration Spoofing Using SiVuS Message generator.

The hijacking attack works as follows:

1. 1. Disable the legitimate user's registration. This can be done by:
   • performing a DoS attack against the user's device
   • deregistering the user (another attack which is not covered here)
   • Generating a registration race-condition in which the attacker sends repeatedly REGISTER requests in a shorter timeframe (such as every 15 seconds) in order to override the legitimate user's registration request.
2. 2. Send a REGISTER request with the attacker's IP address instead of the legitimate user's

The following Figure 5 demonstrates the attack approach.

Figure 5. Overview of a registration hijack.

This attack is possible for the following reasons:

1. The signaling messages are sent in the clear, which allows an attacker to collect, modify and replay them as they wish.
2. The current implementation of the SIP Signaling messages do not support integrity of the message contents, and thus modification and replay attacks are not detected.