[VoiceOps] NOTICE: To all providers using the Grandstream HT502/HT503

Ryan Delgrosso ryandelgrosso at gmail.com
Wed Feb 6 17:15:16 EST 2013 

All,
Over the last few months we have uncovered a vulnerability in the HT502 
that allows for theft of credentials from customer devices. I am sending 
this out since the issue has now been resolved in a new release of 
firmware BUT Grandstream have NOT sent out any kind of pro-active 
notifications nor included this fix in their release notes for this 
build. After conferring with some other sizable providers also using 
this device at scale, they were able to "connect the dots" on their 
up-tick in fraud based on our discovery.


First some history:

We currently have over 50,000 deployed HT502's in active customer service.

Beginning in December we saw an immediate and sizable up-tick in fraud 
by easily an order of magnitude.

Statistical analysis of the fraud showed the ONLY linking factor to be 
the fact that the compromised accounts were ALL using the HT502 device 
AND had WAN port access enabled to the device, and we as the provider 
were locked out (admin password changed, no longer provisioning from us 
on scheduled interval)

After some digging and conferring with Grandstream technical gurus it 
was confirmed there was a buffer overflow vulnerability that would allow 
a remote attacker to change the admin password WITHOUT rebooting the 
device or otherwise having any administrative access to it. Once the 
password was changed the attacker could log in with the new password and 
complete control. On all versions prior to 1.0.5.10 the SIP credentials 
could be extracted from the admin website with the "Download config" 
option. On versions up to 1.0.8.4 the sip credentials were STILL 
extractable from the telnet interface if the provisioning values were 
known by the attacker.

All of these vulnerabilities are fixed in version 1.0.9.1. I encourage 
you to test and deploy this version ASAP.


I am sending this out in a purely advisory capacity in the hopes that 
education will prevent further monetary damages. Please feel free to 
contact me on or off list if you want to know more about this issue.

-Ryan

More information about the VoiceOps mailing list