Covert Channels in SIP for VoIP signalling

In this paper, we evaluate available steganographic techniques for SIP (Session Initiation Protocol) that can be used for creating covert channels during signaling phase of VoIP (Voice over IP) call. Apart from characterizing existing steganographic methods we provide new insights by introducing new techniques. We also estimate amount of data that can be transferred in signalling messages for typical IP telephony call.

💡 Research Summary

The paper investigates covert‑channel (steganographic) techniques that can be employed during the signaling phase of a VoIP call that uses the Session Initiation Protocol (SIP) together with the Session Description Protocol (SDP). After a brief introduction to steganography and covert channels, the authors outline the typical VoIP communication flow, emphasizing that a call consists of a signaling phase (exchange of SIP messages such as INVITE, 200 OK, ACK) followed by a media phase (RTP/RTCP). The focus of the study is on the signaling phase, where relatively few messages are exchanged but each message contains numerous fields that can be abused for hidden data transfer.

The authors categorize covert‑channel methods into three layers: (1) network‑layer steganography that exploits unused or optional bits in IP, TCP, and UDP headers; (2) application‑layer steganography that manipulates SIP and SDP header fields, tokens, and body parameters; and (3) steganography that leverages SIP security mechanisms such as S/MIME.

For the network layer, the paper notes that IP header fields such as Identification, Flags, and Options, as well as TCP sequence numbers and UDP checksums, can carry more than 32 bits per packet without affecting normal VoIP operation. Because these headers appear in every packet (signaling, media, and control), they provide a continuous covert channel.

At the SIP/SDP level, the authors identify a large set of fields that are either required to be random or have no strict length constraints, making them ideal carriers. Examples include:

• Via branch token – must start with the magic cookie “z9hG4bK” but the remainder is implementation‑defined, allowing insertion of dozens of bits.
• From/To tag – globally unique, cryptographically random strings of at least 32 bits.
• Call‑ID – composed of a random string and a host identifier; both parts can be enlarged.
• CSeq number – a 32‑bit unsigned integer that can be set arbitrarily (subject to being < 2³¹).
• Max‑Forwards – normally initialized to 70, but other values are permissible.
• Contact, Subject, Call‑Info, Organization, Reply‑To, Timestamp, User‑Agent – optional textual fields that can contain arbitrary data.

The paper also points out that SDP fields such as version (v), owner/creator (o), session name (s), timing (t), and encryption key (k) are either ignored by SIP or optional, allowing the embedding of additional secret bits.

A novel contribution is the exploitation of SIP end‑to‑end security mechanisms, specifically S/MIME. By encrypting and signing the SDP payload, the boundary delimiters used in the multipart MIME structure become controllable, and the PKCS#7 signature block can be altered to carry hidden data. This method trades off signature verification for increased covert capacity, with the amount of data depending on the chosen hash algorithm (e.g., SHA‑1 vs. SHA‑256).

Beyond field manipulation, the authors discuss covert channels based on non‑printable characters (spaces, tabs), header ordering, and case variation. Since SIP header names are case‑insensitive and header order is not mandated, these techniques can convey bits without changing packet size.

To quantify the threat, the authors assume a typical call exchanges roughly five SIP messages in one direction (two during call setup, two during the conversation phase such as OPTIONS, and one termination message). By summing the bits that can be hidden in each exploitable field of those messages, they estimate a total covert payload ranging from several hundred bytes up to a few kilobytes per call. This exceeds the 100 bps threshold (≈12 KB per minute) defined by the U.S. Department of Defense as a security risk, indicating that even short SIP signaling exchanges can leak a non‑trivial amount of confidential information.

The paper concludes that SIP/SDP signaling is a fertile ground for covert channels, especially because the standards impose few constraints on token generation and field lengths. It calls for future work on detection mechanisms (traffic analysis, anomaly detection) and suggests that SIP/SDP specifications could be hardened by introducing stricter validation of random fields and by limiting optional header usage. The overall contribution is a comprehensive taxonomy of SIP‑based covert channels, quantitative bandwidth estimates, and a set of new techniques that broaden the attack surface for hidden communications in VoIP environments.