VoIP Attacks by the Numbers

There are numerous protocols used in voice-over-IP (VoIP) communications. According to IBM Managed Security Services (MSS) data, the most targeted VoIP protocol is Session Initiation Protocol (SIP), which accounted for over 51 percent of the security event activity analyzed in the last 12 months.


SIP is one of the most commonly used application layer protocols in VoIP technology, so it’s not surprising that it’s the most targeted. In fact, we found that there has been an upward trend in attacks targeting the SIP protocol, with the most notable uptick occurring in the second half of 2016.


In actual attacks on VoIP communications, we note various types of disruption. Spikes in July and September were mostly the result of specially crafted SIP messages that were terminated incorrectly. Persistent, invalid messages are known to cause vulnerable servers and equipment to fail. The spike in October 2016 was largely influenced by SIP messages with invalid characters in the SIP “To” field. These could be reflective of suspicious activity, necessitating further investigation.

The second most targeted protocol, Cisco’s proprietary Skinny Client Control Protocol (SCCP), accounted for just over 48 percent of detected security events during the same time period. SCCP is a lightweight, IP-based protocol used for communication between Cisco Unified Communications Manager and Cisco VoIP phones. Unlike attacks targeting SIP, those targeting the SCCP protocol have been declining slightly over the past 12 months.


A large majority of the security events targeting the SCCP protocol — nearly 74 percent — are actually pre-attack probes that enable the perpetrators to examine device capabilities and gather information on potential targets. Finally, the H225 protocol, which is part of the H.323 protocol suite, accounted for less than 1 percent of the activity — barely a blip on the first chart.

According to WhaTech, the global VoIP services market will expand at a 9.7 percent compound annual growth rate (CAGR) between 2014 and 2020. As businesses and consumers adopt VoIP to reduce costs, are they also introducing unforeseen risks?

Nothing to SPIT At

When it comes to unsolicited information, we’ve gotten pretty good at dealing with or reducing email spam in our inbox. But what about spam over internet telephony (SPIT), also known as VoIP spam? These unsolicited, automated phone calls made from internet-provided numbers are just as annoying as junk mail.

Since it is connected to the same pipes as spam, so to speak, VoIP technology has aided the proliferation of robocalls, allowing scammers to make illegal calls from anywhere in the world. It floods consumers and businesses with marketing calls, surveys and even identity theft scams, also known as vishing.

Unfortunately, stopping these calls is not as easy as flagging unsolicited email. Despite a Federal Communications Commission (FCC) ruling in June 2015 that gave U.S. telecommunication companies permission to provide robocall-blocking technology to consumers, the problem does not seem to be subsiding. In fact, the Federal Trade Commission (FTC) hosted a contest at DEF CON that challenged contestants to create a solution to automatically block and forward robocalls to a research honeypot.

In May 2016, the National Consumer Law Center (NCLC) reported that it expected the FTC to receive more than 3.3 million complaints concerning robocalls in 2016. The FCC provided a list of resources to help consumers stop these annoying or even fraudulent robocalls.

Vish and Chips

Beyond the irritation factor, attackers have found additional ways to capitalize on VoIP technology that pose a higher risk to both consumers and businesses. Because VoIP routes calls through the same paths used by network and internet traffic, it is also subject to some of the same vulnerabilities and threats cybercriminals use to exploit these networks. VoIP traffic can thus be intercepted, captured or modified and is subject to attacks aimed at degrading or eliminating service.

VoIP technology allows malicious individuals to conduct caller ID spoofing with minimal cost and effort. This enables attackers to obtain information or facilitate additional scams against their targets. A February report, for example, highlighted issues with certain VoIP phones that had insecure default configurations, which allowed attackers to make, receive and transfer calls, play recordings, upload new firmware and even use victims’ devices for covert surveillance.

VoIP services are also subject to abuses such as toll fraud, which involves taking control of network access to avoid paying for telephone calls. VoIP phone consumers should avoid blindly relying on the manufacturer’s default security settings and use strong passwords.

An attacker can carry out a distributed denial-of-service (DDoS) attack by flooding a company’s telephone service with thousands of junk calls per minute from automated IP dialers. A phone DDoS attack could cripple an organization that relies heavily on its phone systems. The method has even been used to prevent fraud victims from calling their banks after large sums of money were stolen from their bank accounts.

Secure Your VoIP Phones

VoIP risks extend beyond spam and eavesdropping. These phones connect a large variety of devices, and cybercriminals can weaponize any internet-connected corporate or consumer device. It’s imperative that organizations and consumers take the following steps to secure their VoIP phones:

  • Use strong passwords. Leaving the default admin password or using a weak password leaves your VoIP phone vulnerable to compromise. Default VoIP passwords are publicly available, and weak passwords are easy to guess or brute force. Don’t forget to harden your voicemail password, too.
  • Enable encryption. VoIP calls are transmitted over the internet unencrypted, allowing malicious actors to easily intercept data packets and record calls. Encryption can be enabled and configured between different points, depending on your setup and equipment, to make sure calls won’t be bugged. Talk to your VoIP vendor to get more details on how to enable the encryption option.
  • Consider using a VPN. A VPN can enhance VoIP security by encrypting voice traffic, mitigating the threat of an attacker using a network analyzer to capture the data.

Exploiting VoIP vulnerabilities and weaknesses may be an old-school cybercriminal trick, but given the rise in attacks targeting the SIP protocol, it’s clear that this tried-and-true threat is still at large.

Beware of older cyber attacks — Read the complete X-Force report

More from X-Force

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - Summary As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed…

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today