SIPConfusion: Exploiting SIP Semantic Ambiguities for Caller ID and SMS Spoofing
Qi Wang
Network and Distributed System Security (NDSS) Symposium 2026 · Day 3 · Cloud Security
The **Session Initiation Protocol (SIP)** underpins modern voice, video, and messaging infrastructure -- from VoIP (projected at **$326 billion by 2032**) to **Rich Communication Services (RCS)** with over **1 billion active users** across 90 carriers in 60 countries. This talk introduces **SIP Confusion**, a new class of spoofing attacks that exploits **semantic ambiguities** between how SIP servers parse identity headers and how client devices display them. Using an automated fuzzing framework called **SIP Camera**, the researchers found that **over 80% of server-client combinations** are vulnerable. Testing against three major carrier networks serving **billions of users**, all three were vulnerable to caller ID and SMS spoofing via SIP Confusion -- including spoofing messages appearing to come from **911**. When a victim's device doesn't support RCS, spoofed messages fall back to traditional **SMS delivery across 2G, 3G, 4G, and 5G networks**. Nine vendors acknowledged the findings, eight confirmed the vulnerabilities, six deployed fixes, and carriers formed **dedicated teams** to address the issues.
AI review
A devastating new class of caller ID and SMS spoofing attacks exploiting semantic ambiguities in SIP parsing across servers and clients. 80%+ of combinations vulnerable, three major carriers compromised, RCS-to-SMS fallback extends impact to billions of users across all network generations. This is real-world telecom exploitation at scale.