TMCnet - World's Largest Communications and Technology Community



tmc logo
August 2007 | Volume 10 / Nuber 8
Feature Articles

Security Issues in IMS

By Krishna Kurapati

The rapid growth of broadband Internet, and the exploding subscriber demand to enable more integrated and sophisticated communications, is driving network operators to offer new multimedia services anywhere, anytime. These enriched services enable subscribers to communicate and collaborate in real-time, using any combination of voice, video, pictures and text messages. In order to deliver these uniform, extendable services, along with mobility and roaming capabilities, operators require a flexible and standardized network framework.

The IP Multimedia Subsystem (IMS), first specified by the Third Generation Partnership Project (3GPP/3GPP2), is a key enabler and service-delivery platform for these services. IMS is a global standard that defines a generic architecture for offering VoIP and other multimedia services over the Internet, independent of access type – whether it is cellular (GPRS, 1x), WLAN (WiFi), wireless broadband (WiMAX, EVDO Rev A, HSPA) or wireline broadband (xDSL, Cable, FTTx). And since IMS protocols are based on the open IETF SIP specifications, any IMS network device can take advantage of the exploding SIP adoption by other IP phones, adapters and soft clients.

The result is, with IMS, operators can offer many real-time communication services for virtually any device over any Internet access network for the first time. However, like any application offered over the Internet, these IMS networks and devices are now subjected to threats from worms, viruses, denial of service, spam, phishing, and theft.

Just like all e-commerce companies, operators must be aware that core infrastructures and subscribers are vulnerable to attacks and service abuse from malicious users, infected devices, zombies, hackers and spammers. While e-commerce companies go to great lengths to protect their core servers, operators must also protect IMS cores and services offered, with equal diligence. Operators should be even more concerned about these threats as they could also penetrate into legacy networks and affect their large, installed customer base, as shown in Figure 1.

This article outlines several IMS attacks that can be launched, and the different security requirements that must be addressed. It also presents characteristics of a security approach that can complement current authentication and encryption, to protect against all of these attacks.

IMS Vulnerabilities

As mentioned at the outset, IMS and SIP enable a rich set of converged services, but, at the same time, open up networks to a host of known IP-based vulnerabilities, which can often be addressed by existing firewalls, and also to a completely new set of IMS application vulnerabilities. In fact, in the last three years, the Sipera VIPER™ (Voice over IP Exploitation Research) Lab has identified over 20,000 attacks that can be launched against IMS networks, as shown in Table 1.

Looking in more detail at the potential attacks that may exist in IMS networks, the more prevalent and potentially damaging application level threats that can be used to attack the core infrastructure and take down the service or used to attack the end-users are:

• Flood DoS and Distributed Floods

• Protocol Fuzzing

• Stealth Floods

• VoIP Spam

• Fraud

• Rogue Devices

Flood DoS and Distributed Floods. Flood DoS and DDoS attacks are those attacks whereby a malicious user deliberately sends a tremendously large amount of random messages to one or more core network elements from either a single location (DoS) or from multiple locations (DDoS). Typically, the flood of incoming messages is well beyond the processing capacity of the target system, quickly exhausting its resources and denying services to its legitimate users. (See Figure 2.)

Protocol Fuzzing. Malicious users will send messages whose content, in most cases, is, on the surface, good enough that the target will assume it’s valid. In reality, the message is “broken” or “fuzzed” enough that when the target system attempts to parse or process it,

various failures result. These can include application delays, information leaks, and even catastrophic system crashes.

Fuzzed messages can easily be transmitted using encrypted and authenticated traffic, all the way to the IMS core. Existing security devices do not generally have the ability to decrypt the traffic at wire speeds, and look at all the details of the protocol (header, body, content, etc.) to make sure there is no malicious intent, and therefore cannot protect against some of the most damaging attacks towards the infrastructure.

Stealth Floods. Stealth attacks are those in which one or more specific end-points are deliberately attacked from one (DoS) or more (DDoS) sources, although at a much lower call volume than is characteristic of flood type attacks. Detection of stealth attacks is vital for VoIP systems, as they have the potential to be far more annoying than what we are familiar with in the data world. IMS security solutions must be more sophisticated and use different techniques to protect against stealth and VoIP spam.

VoIP Spam. VoIP spam or Spam-over-Internet Telephony (SPIT) is unsolicited and unwanted bulk messages broadcast over the IMS network. In addition to being annoying and having the potential to significantly impinge upon the availability and productivity of the end-point resource, high-volume bulk calls routed over IP are often times very difficult to trace, and have the inherent capacity for fraud, unauthorized resource use and privacy violations. VoIP spam attacks can be launched like stealth attacks cited above, and target subscribers of IMS services.

Fraud. Once hackers gain access to an IMS network and servers, they can commence toll fraud by acting as a gateway between the local PSTN and the IMS network, similar to last year’s publicized, million dollar toll fraud exacted on several VoIP networks.

In addition, a fraudulent user can access an entire IMS network and servers by hacking routers, firewalls and operating systems, which can expose sensitive details of subscriber call records.

In order to protect against fraud, the behavior of all subscribers must be monitored in real time, with misbehaving subscribers blocked.

Rogue devices. Smart device proliferation and new access capabilities including USB, Bluetooth and downloadable software, devices themselves can inadvertently pose a great risk to IMS networks. These devices can be recruited by hackers as bots on the Internet, to proliferate attacks deep into IMS networks and applications.

Building an Attack Tool is Easy

Compounding the issue of threats is the fact that building an attack vector takes very little investment in terms of time or money. The required components are available free of charge, as open-source software and all the required specifications are publicly available at the 3GPP website. Hackers, in a few days, can easily write scripts required to read U/I-SIM cards, which are easily acquired and can be used to launch various attacks.

Comprehensive Security for IMS Networks

IMS specifications have rigorously defined the authentication and encryption frameworks required for these networks by combining cellular phone and Internet standards. However, with any subscriber having access, anytime, using any device, these techniques provide limited security at the access level, and cannot protect against threats from rogue subscribers or hackers working from within rogue countries. Like e-commerce companies, IMS operators should also deploy IMS application security. This layered approach to security ensures that operators not only protect their IMS core and subscribers, but also ensure their legacy core and subscribers are protected.

An IMS application layer security device, as shown in Figure 3, should implement sophisticated IMS-specific security methodologies that include behavior learning, filtering, anomaly detection and verification.

This would complement existing PDGs and data firewalls with application-level intrusion prevention, denial of service prevention, and anti-spam filtering to protect infrastructure nodes and end-users against unique IMS application attacks such as fraud, floods, stealth, protocol fuzzing and VoIP spam. Such a security device should be designed specifically to offer the performance and scalability required by operators, learn about call and traffic patterns on the network, and dynamically adjust to prevent application layer attacks.


The probability of malicious attacks and service abuse of VoIP and other real-time, IP communications applications continued to increase, together with the increase in attack sophistication. All of these developments are creating a new level of security requirements for the operator that go beyond anything that has been traditionally deployed.

The only way to provide the required level of protection is to adopt an IMS application-level approach that utilizes the best, existing security techniques but also incorporates a variety of sophisticated VoIP-specific security methodologies that include behavior learning, filtering and anomaly detection and verification. Together, these practices proactively protect the IMS network from attacks, misuse and service abuse which networks and end-users face today and in the future.

Krishna Kurapati is the Founder and CTO of Sipera Systems, a leader in pure security for VoIP, mobile and multimedia communications. Sipera can be reached at 214-206-3210 or

Internet Telephony Magazine Table of Contents

Today @ TMC
Upcoming Events
ITEXPO West 2012
October 2- 5, 2012
The Austin Convention Center
Austin, Texas
The World's Premier Managed Services and Cloud Computing Event
Click for Dates and Locations
Mobility Tech Conference & Expo
October 3- 5, 2012
The Austin Convention Center
Austin, Texas
Cloud Communications Summit
October 3- 5, 2012
The Austin Convention Center
Austin, Texas