It is an obvious statement, but as the name suggests VoIP applications run on IP Networks. Moving voice telephony services from the dedicated telco-operated networks where they have run more or less reliably for the past 100 years or so to an IP network exposes those services to a completely different set of security threats.

The security threats that face VoIP applications also differ from the generic IP threats that face more traditional Internet applications such as web and email. While the set of generic threats cannot be ignored, VoIP is a real-time service which responds differently to flooding attacks and denial of service threats than less time sensitive applications such as email or even web.

VoIP application requirements and the design of the protocols that drive those applications introduce a new category of security threat; threats directed at the protocols and applications. These include threats that may seriously impact the operation of the VoIP service, such as call disruption, call hijacking and unauthorised wire-tapping.

VoIP services are also potentially vulnerable to content related threats. Content related threats are familiar from the email and web worlds where unwanted messages, inappropriate or offensive and malicious content are all too common. There are some obvious technical differences between the content of a VoIP session or a video conference and an email message or web download. These differences do not make VoIP services immune to content threats but do mean that different security technologies need to be applied to address those threats. As an example, VoIP applications are at least as susceptible to unwanted messages as email systems, but the majority of email spam control technologies are ineffective against VoIP calls.

To summarise, the threats that face VoIP applications fall into 3 categories:

  • Generic IP Network level threats, the set of IP threats that face all IP applications.
  • VoIP protocol and application threats, these threats are specific to the design and implementation of the VoIP service and attacks that can disrupt calls or even lead to the complete loss of service on the VoIP system
  • Content level threats which include unwanted calls, call flooding and sophisticated attacks such as RTP injection attacks. A successful RTP injection replaces one or both sides of an established call with a pre-recorded message. These differences in application design and security threats make VoIP security a specialist subject, demanding specialist analysis tools and a specialist approach to security design.