itu-t Series-H: Audiovisual and Multimedia Systems
The protocol foundation for VoIP, video conferencing, and media gateway control — the attack surface for toll fraud, media interception, and gateway hijacking in IMS and enterprise UC environments.
Official Scope
Study Group: SG16 — Multimedia Coding, Systems and Applications
Active Status: Ongoing
Defines recommendations for audiovisual and multimedia systems: video coding (H.264/H.265/H.266 VVC), conferencing protocols (H.323), real-time media security (H.235), and media gateway control (H.248/Megaco). Provides the foundation for enterprise UC and IMS-based multimedia services.
Tactical Security Significance
- Relevance: 🟢 High — VoIP Fraud, Encrypted Real-Time Media, Media Gateway Authentication
- Key Security Concepts: H.235 Security Framework, SRTP/ZRTP Key Exchange, H.248 Gateway Hardening, Toll Fraud via SIP/H.323
- Attack Surface: Unauthenticated H.323 endpoints, unencrypted media streams, exposed H.248 control interfaces
Key Recommendations
| ITU Rec | Title | Security Domain | Cross-Reference |
|---|---|---|---|
| H.235.0 | Security architecture for H.323 multimedia systems | VoIP Authentication Framework | RFC 3711 (SRTP) |
| H.235.6 | Voice encryption for H.323 using AES | Media Encryption (AES-128/256) | IETF RFC 4568 |
| H.235.8 | Key exchange for SRTP over H.323 | SRTP Key Negotiation | RFC 3711 |
| H.248.1 | Gateway Control Protocol (GCP/Megaco) | Media Gateway Authentication | 3GPP TS 29.232 |
| H.248.91 | Transport security in TLS networks for H.248 | TLS for Signaling | RFC 5246 |
| H.Sup2 | Security guidelines for H.323 VoIP implementations | VoIP Hardening Baseline | NIST SP 800-58 |
Security Mapping
Toll Fraud via Unauthenticated H.323 / SIP Gateways
H.323 gatekeepers and SIP proxies without proper authentication (H.235.0) allow attackers to register rogue endpoints and route outbound calls through the operator's infrastructure — incurring IRSF charges.
- Attack: Attacker registers a forged endpoint to an H.323 gatekeeper without GK authentication → places thousands of international calls through the operator's gateway
- Mitigation: Enforce H.235.0 authentication (password-based or PKI) on all gatekeeper registrations; rate-limit international call setups; monitor CDRs for velocity spikes
Unencrypted Media — RTP Eavesdropping
Legacy H.323 and many SIP deployments transmit audio via unencrypted RTP. On shared network segments (enterprise LANs, shared interconnect), any on-path observer can reconstruct the voice stream.
- Attack: ARP spoofing / passive monitoring on LAN segment → Wireshark decodes RTP streams → call audio recovered in real time
- Mitigation: Enforce H.235.6 / SRTP (RFC 3711) for all media paths; require H.235.8 key exchange to establish SRTP sessions; verify no RTP fallback is configured in the session negotiation
H.248 (Megaco) Control Plane Hijacking
The H.248 protocol controls Media Gateways (MGWs) — the nodes that bridge PSTN and IP. An attacker who gains access to the H.248 control channel can redirect calls, insert audio, or take down the gateway.
- Attack: H.248 MGC (Media Gateway Controller) typically on an exposed management VLAN; unauthorized MGC impersonation allows call redirection or DoS via malformed H.248 messages
- Mitigation: Deploy H.248.91 (TLS) on all Megaco interfaces; authenticate MGC-to-MGW sessions via mutual TLS certificates; isolate H.248 signaling on a dedicated, firewalled VLAN
sequenceDiagram
participant Caller as Calling Endpoint
participant GK as H.323 Gatekeeper (H.235.0)
participant GW as Media Gateway (H.248.91)
participant PSTN as PSTN / Peer Network
Caller->>GK: ARQ (Admission Request + Auth Token)
GK->>GK: Verify H.235.0 credential
GK-->>Caller: ACF (Confirm) or ARJ (Reject)
Caller->>GW: H.245 Capability Exchange (H.235.6 AES offer)
GW-->>Caller: SRTP key agreement (H.235.8)
Caller->>GW: Encrypted RTP (AES-128 SRTP)
GW->>PSTN: PCM / TDM (G.711) via H.248 TLS control
!NOTE This series is part of the master Series Tracker.