SIP Trunk Security – 2nd Excerpt from Our Voice Security Report

Session Initiation Protocol (SIP) is a standards-based protocol for controlling voice and other types of calls. SIP can be used for internal handset communications, but its security issues are mostly similar to those for other handset protocols. SIP is also commonly used for enterprise SIP trunks, which are a means to connect enterprise voice networks to the Public Voice Network. The following diagram shows the threat when using SIP trunks, as opposed to TDM trunks, to connect to the Public Voice Network.

Many enterprises are transitioning to SIP trunks. Enterprises use SIP trunks both for one-to-one replacement for TDM trunks and also to consolidate the traffic from smaller branch or retail sites to a centralized trunk model. Centralized SIP trunk deployments offer a number of advantages, but increase the threat of certain types of attacks, because all or most of an enterprise’s public access is now consolidated through one or a few sites.

The majority of enterprise SIP trunk deployments are provisioned by large service providers who provide a private SIP connection. This is a separate, managed, private connection, where security and Quality of Service (QoS) can be assured, as opposed to the Internet, where neither security nor quality can be assured. While it is technically possible for SIP-specific packet attacks to be seen on these private SIP trunks, such attacks are very unlikely. Also, SIP trunks primarily use SIP and RTP (for audio), as opposed to the multitude of protocols used on an internal/campus VoIP network.

Service providers also deploy SIP security on their side of the network, using Session Border Controllers (SBCs). The SBC provides an additional layer of security that analyzes SIP and RTP before it is delivered to the enterprise. It is technically possible to see scans, fuzzed/malformed packets, and INVITE/REGISTER/OPTION packet floods on dedicated service-provider SIP trunks, but this is a low threat. Nevertheless, it is a good security practice to deploy SIP-specific packet security on an enterprise SIP trunk, preferably using a different technology than that used by the service provider, such as the Cisco Unified Border Element (CUBE), a software solution embedded in the operating system software on Cisco’s Integrated Services Routers (ISRs) and Aggregation Services Routers (ASRs).

If an enterprise uses SIP over the Internet, then the threats rise considerably. This may occur more often as enterprises seek to extend the rich communications experience they enjoy inside their networks with video, Instant Messaging (IM), presence, and other Unified Communications and Collaboration applications. I have seen several Internet SIP-based video systems exploited, but the motivation for these exploits was toll fraud, rather than the video application itself.

While SIP-specific attacks represent a low threat, voice application-level attacks/threats such as toll fraud, social engineering, unsecured and unauthorized modems, harassing calls, and TDoS are still present. None of these threats decrease with the transition to SIP trunks. Service providers and their SIP-specific security devices do nothing to block these call-level attacks.

As introduced above, a related change in enterprise voice networks is the move to centralized SIP trunking. I will cover security issues with these deployments in another post.

SecureLogix CEO Lee Sutterfield appeared on a recent episode of NPR’s “Here & Now” to discuss the increasingly complicated challenge of defeating Robocalls.  SecureLogix CEO Lee Sutterfield appeared on a recent episode of NPR’s “Here & Now” to discuss the increasingly complicated challenge of defeating Robocalls.  

Listen Now:

Washington, D.C. – The Department of Homeland Security (DHS) Small Business Innovation Research (SBIR) program has awarded the 1,000th SBIR contract since the program’s initiation in 2004. The 1,000th contract is one of twenty-four awarded as part of the FY19.1 Solicitation Phase I awards, bringing the total number of SBIR contracts to 1,018…

David Heard, CMO of SecureLogix, had the opportunity to explain voice network security and call fraud detection at Enterprise Connect 2019…

Cybersecurity attacks happen all too often, and attackers are becoming more bold and sophisticated by disrupting critical phone systems and putting 911 emergency call centers at risk. Similar to Distributed Denial of Service (DDoS) attacks on critical online services, Telephony Denial of Service (TDoS) attacks render emergency systems unavailable by saturating them with bogus calls and potentially causing great harm to those who truly require urgent first responder attention.  

The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) has partnered with SecureLogix, a San Antonio-based telecommunications security company, to solve complex TDoS issues and develop defense-based solutions to prevent these attacks. TDoS attackers target 9-1-1 emergency call centers and other critical service providers. These attacks are increasing in frequency and everyone is vulnerable. Reasons for TDoS attacks range from extortion to disruptive pranks. These attacks pose significant risks to banks, schools, hospitals, and even government agencies. When banks are attacked, customers are denied access to their accounts. If synchronized with a DDoS attack against a bank’s internet or mobile presence, this may prevent customers from even contacting their bank.

In 2016, a teenager gained national attention for a well-orchestrated botnet attack against 9-1-1 emergency call centers in the Phoenix area. By modifying and distributing code via his Twitter and YouTube accounts, his followers unwittingly loaded malware onto their phones and made thousands of automatic 9-1-1 calls. 9-1-1 call centers in the Phoenix area were flooded with calls in a matter of minutes. If coordinated with an actual physical terrorist attack, this would be particularly catastrophic, resulting in a large number of victims losing the ability to connect with emergency services.

From S&T’s perspective, our goal is to shift the advantage from TDoS attackers to network administrators by developing the capability to detect and mitigate TDoS, by authenticating callers and detecting call spoofing. These solutions, based on a series of filters that assign a risk-threat score to every call, will enable Next Generation 9-1-1 systems’ administrators to better respond to and manage TDoS threats and attacks. Research and testing is currently underway with our pilot partners, including Palm Beach County 9-1-1 and Greater Harris County 9-1-1, to validate solutions in operational, real-time environments.

Together, S&T and SecureLogix are making rapid progress against call spoofing and robocalls. We are currently developing two TDoS defense solutions:

  • Identifying whether or not the call spoofing is a voice recording, aiding in fraud detection
  • Separating legitimate emergency calls from spoofing attacks

This research will result in increased protections for the many critical infrastructure sectors DHS protects. Several corporations, including many banks and DHS components, have expressed interest in this technology and SecureLogix will release it into the market in the coming months. We look forward to further developing these new defense mechanisms to prevent future TDoS attacks. Please read the program’s fact sheet for more details.

PSAPs can be taken out of service by TDoS and DDoS attacks on their infrastructure. DHS is also concerned, and is funding pilot programs to investigate. Dr. Ann Cox from DHS, Chuck Spaulding from Palm Beach County Florida, and Mark Collier, CTO at SecureLogix discuss what they are doing in a pilot program to understand the issue and potential fixes. Don’t miss this MUST LISTEN podcast. 


The Internet had been brought to its knees. In 1988, a computer program written by a graduate student named Robert Morris snaked its way across much of the early Internet. The so-called Morris Worm infected and crashed anywhere from one-sixth to one-third of all computers connected to the Internet, according to a Government Accountability Office report from the time.

Shortly after the worm’s demise, a young Air Force officer named Lee Sutterfield left San Antonio for a closed council in California on lessons from the attack. The virus had been defeated, but the response had been piecemeal. Sutterfield, along with his boss, Greg White, listened as experts from across the country spoke of the need to work together on cybersecurity…


Here is a recent article on toll fraud on mobile devices. The article states that the most common type of mobile malware is toll fraud – this type of malware is the easiest way to make money:

11/03/2016 – The day the 911 network stood still

10/24/2016 – DHS working to protect emergency call centers against denial-of-service attacks

09/22/2016 – Schumer calling for increased security of 911 communications nationwide

09/13/2016 – Answering the call for solutions to 911 TDoS attacks

09/12/2016 – Researchers warn that hackers can DDoS 911 emergency phone service

09/12/2016 –Is an attack on emergency services just one call away?

09/09/2016 – How America’s 911 emergency response system can be hacked

There have been multiple articles describing a “botnet” of 1000’s of compromised smartphones, which all make calls to a 911 Public Safety Answering Point (PSAP) or some other target. A smartphone-based attack is the primary way to generate a TDoS attack against a PSAP. Using the classic Asterisk/SIP trunk/call generator type of attack, is unlikely to affect 911, since there is no guarantee that calls will be routed to the desired PSAP. An attack leveraging many smartphones in a local area is the most likely way to affect PSAP.

There is normally significantly more trunking available than there are PSAP attendants. This is logical and common in contact centers, as it allows callers to have their calls “answered” and put into a queue waiting for attendants. For a TDoS attack against 911 to have effect, it needs to “clog” or saturate these trunks. If the attacker can overwhelm the entire trunking capacity, then some legitimate callers won’t have their calls answered. Even if the attack does not overwhelm all trunking, it will still have an impact on attendants, because they will waste a small amount of time answering the TDoS calls. There are also multiple “trunk groups”, which are collections of physical channels into the PSAP. If an attack can overwhelm one of these trunk groups, the attack may not overwhelm the entire capacity of the PSAP, but it will affect legitimate calls coming from that trunk group. The biggest trunk group is normally mobile.

A large metro area PSAP will have multiple end offices switches, which provide landline access to various geographic areas. Each of these end offices has some amount of dedicated trunking for 911, which may be around 10 trunks. If an attack originates through one of these end offices, the most calls that will reach the PSAP is say 10 simultaneous calls. The attacker can’t overwhelm the PSAP unless they saturate the trunking from all or many of these end offices. However, there is a significant amount of trunking from the mobile network, since generally, the majority of calls to a PSAP, as much as 75%, are mobile. Therefore, this is where the overall PSAP capacity can be saturated. This is also where attacks from a smartphone-based botnet would arrive.

Furthermore, we also saw a recent actual attack, where a young hacker posted a link on Twitter, to a website with malicious code. There were over 10,000 followers of the Twitter account and of course, the link was obscured though When the link was clicked, the malicious code used the click-to-dial feature on iOS smartphones, in code that looped 1,000,000 times and continually made calls to 911. Most of the people who clicked on the link were in the Phoenix area. What is interesting about this attack is how simple the malicious code was. It wasn’t a sophisticated bit of malware, which leveraged some obscure feature of the smartphone – it simply used the click-to-dial feature in a loop. It wasn’t a botnet. Pretty much anyone could create this malware.

So in summary, we have a situation where the most vulnerable part of a PSAP is the mobile trunking, the easiest way to generate a TDoS attack on a PSAP is through compromised smartphones, the code needed to generate calls on smartphones is trivial, and we have had an “accidental” attack in the wild. Unfortunately, we expect to see more deliberate attacks in the future.