Voice over VoIP (VoVoIP) is a proof of concept attack which demonstrates a new type of VoIP threat, the VoIP covert channel. With VoVoIP, you can establish a hidden conversation by embedding further compressed voice data into regular PCM-based voice traffic (i.e. G.711 codec). Therefore anyone who is wire-tapping your conversation will decode something completely different from the actual conversation - granted that he is not aware of the use of VoVoIP. For demonstration purposes, VoVoIP will stream music as cover audio while allowing users to talk in the background. More technical details can be found in the following section.
Unfortunately, VoVoIP raises serious security concerns regarding current VoIP deployments since it exploits VoIP covert channel vulnerability. The VoIP covert channel is a communication channel that can be used by a process to transfer information in a manner that violates the system security policy. Such attacks may utilize signaling protocols (i.e. SIP, H.323) and/or data transport protocols (i.e. RTP) to send information across the network in seemingly innocent VoIP traffic. Clearly, this technique can be extended to transfer arbitrary data, enabling various types of vandalism whose damages can amount to large financial loses. For example, emerging threats such as VoIP SPAM or Botnet may work in tandem to transfer control signals or binary executables through VoIP covert channels. Some multi-level security systems may need to prohibit the use of VoIP altogether. It is important to note that at least one communicating party must be infected by a trojan in order to launch the attack. The receiver may be another infected VoIP client, or an attacker wire-tapping the network communication.