Abstract

Billing is fundamental to any commercial VoIP services and it has direct impact on each individual VoIP sub-scriber. One of the most basic requirements of any VoIP billing function is that it must be reliable and trustwor-thy. From the VoIP subscriber's perspective, VoIP billing should only charge them for the calls they have really made and for the duration they have called. Existing VoIP billing is based on VoIP signaling. Therefore, any vulnerability in VoIP signaling is a po-tential vulnerability of VoIP billing. In this paper, we examine how the vulnerabilities of SIP can be exploited to compromise the reliability and trustworthiness of the billing of SIP-based VoIP systems. Specically, we fo-cus on the billing attacks that will create inconsistencies between what the VoIP subscribers received and what the VoIP service providers have provided. We present four billing attacks on VoIP subscribers that could result in charges on the calls the subscribers have not made or overcharges on the VoIP calls the subscribers have made. Our experiments show that Vonage and AT&T VoIP sub-scribers are vulnerable to these billing attacks. 1