Voice Security
highVoIP · VoLTE · IMS · Interception
Voice has traversed two distinct security eras. Circuit-switched voice — 2G and 3G — carried calls over dedicated signalling paths with encryption that was weak by design and disabled in some jurisdictions. IP-based voice — VoLTE and IMS — introduced SIP's vast attack surface and made voice indistinguishable from generic internet traffic in the core. Both generations co-exist in live networks today, creating a threat landscape that requires defending across multiple protocol stacks simultaneously. The economics of voice fraud (International Revenue Share Fraud alone costs the industry billions annually) ensure that this attack surface remains actively targeted.
Threat vectors
International Revenue Share Fraud (IRSF)
highAttackers gain access to a VoIP platform — through credential theft, SIP brute force, or PBX compromise — and generate large volumes of calls to premium-rate or international numbers they control or profit from. The terminating operator pays the attacker a revenue share before the fraud is detected, often days later. IRSF is one of the largest fraud categories in telecom by volume, with average attack durations measured in hours and losses measured in tens of thousands of dollars.
Caller ID spoofing for vishing
highSIP INVITE messages carry the CLI (Calling Line Identification) in the From and P-Asserted-Identity headers. Without strict validation at the originating carrier, any number can be presented. Attackers spoof bank numbers, government agencies, and emergency services to conduct social engineering at scale. The lack of a universal cryptographic CLI authentication standard makes this a persistent, widespread problem.
Lawful intercept infrastructure abuse
criticalLawful intercept (LI) systems are mandated by law and must allow silent monitoring of calls. These systems are high-value targets: a compromised LI interface gives an attacker legal-grade call recording without traffic interception. Several documented cases (including the 2004–2005 Greek wiretapping scandal) demonstrate that LI infrastructure itself can be exploited, turning a compliance requirement into a surveillance backdoor.
RTP stream interception
highIn deployments where SRTP is not enforced end-to-end, the media stream (RTP) is transmitted in cleartext. Any network element with access to the transport path — a compromised router, a malicious employee at a transit carrier, or a positioned attacker — can capture and reconstruct voice calls. This is particularly relevant on SIP trunks between enterprises and operators, where SRTP negotiation is often omitted for compatibility reasons.
SIP infrastructure exploitation
highIMS core elements (P-CSCF, S-CSCF, I-CSCF) expose SIP stacks that are subject to well-known vulnerabilities: SIP REGISTER flooding, malformed header injection, authentication bypass via expired nonces, and registration hijacking. SIP's verbosity and flexibility make it difficult to defend with simple firewalls, and many operator deployments lag several years behind in patch cycles.
Impact
- 01
Direct financial loss from IRSF and PBX fraud — enterprises and operators lose billions annually, with individual incidents routinely exceeding $100,000 before detection.
- 02
Privacy violations from call interception — compromised LI systems or unencrypted RTP flows expose confidential business communications, legal consultations, and personal conversations.
- 03
Erosion of user trust through vishing — spoofed caller ID attacks have caused measurable consumer harm and prompted regulatory intervention in multiple countries.
- 04
Regulatory penalties — operators that fail to protect LI infrastructure, enforce SRTP, or prevent CLI spoofing face growing regulatory exposure under telecom and privacy frameworks.
Mitigations & solutions
Enforce SRTP for all media paths
Require SRTP negotiation on all SIP trunks and IMS interfaces. Reject or flag calls where SRTP is not offered. Audit existing interconnects for cleartext RTP and establish remediation timelines with peering partners.
Deploy STIR/SHAKEN for CLI authentication
STIR (Secure Telephony Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) cryptographically attest CLI at the originating carrier. Implement STIR/SHAKEN signing for originated calls and validate attestation headers on received calls, downgrading or blocking unattempted calls.
Harden IMS/SIP infrastructure
Apply rate limiting on SIP REGISTER and INVITE at the P-CSCF. Deploy a Session Border Controller (SBC) with anomaly detection at all SIP peering points. Regularly audit SIP stacks for known CVEs and enforce patch timelines.
Implement real-time fraud detection for IRSF
Monitor call destination patterns, duration distributions, and per-account call volumes in real time. Short-duration calls to high-risk number ranges (specific country codes and number blocks associated with IRSF) are a strong signal. Integrate with GSMA's IMSI/MSISDN fraud databases.
Audit and harden lawful intercept systems
Treat LI infrastructure as a critical security system: enforce strict access controls, log all activation and deactivation events, conduct regular integrity audits, and ensure LI interfaces are not reachable from general network segments. Implement two-person authorisation for LI activations.