Abstract

Billing is fundamental to any commercial VoIP services and it has
direct impact on each individual VoIP subscriber. One of the most
basic requirements of any VoIP billing function is that it must be
reliable and trustworthy. From the VoIP subscriber's perspective,
VoIP billing should only charge them for the calls they have
really made and for the duration they have called.
                                                                                
Existing VoIP billing is based on VoIP signaling. Therefore, any
vulnerability in VoIP signaling is a potential vulnerability of
VoIP billing. In this paper, we examine how the vulnerabilities of
SIP can be exploited to compromise the reliability and
trustworthiness of the billing of SIP-based VoIP systems.
Specifically, we focus on the billing attacks that will create
inconsistencies between what the VoIP subscribers received and
what the VoIP service providers have provided. We present four
billing attacks on VoIP subscribers that could result in charges
on the calls the subscribers have not made or overcharges on the
VoIP calls the subscribers have made. Our experiments show that
Vonage and AT&T VoIP subscribers are vulnerable to these billing
attacks.