[VoiceOps] NOTICE: To all providers using the Grandstream HT502/HT503
Ryan Delgrosso
ryandelgrosso at gmail.com
Wed Feb 6 17:15:16 EST 2013
All,
Over the last few months we have uncovered a vulnerability in the HT502
that allows for theft of credentials from customer devices. I am sending
this out since the issue has now been resolved in a new release of
firmware BUT Grandstream have NOT sent out any kind of pro-active
notifications nor included this fix in their release notes for this
build. After conferring with some other sizable providers also using
this device at scale, they were able to "connect the dots" on their
up-tick in fraud based on our discovery.
First some history:
We currently have over 50,000 deployed HT502's in active customer service.
Beginning in December we saw an immediate and sizable up-tick in fraud
by easily an order of magnitude.
Statistical analysis of the fraud showed the ONLY linking factor to be
the fact that the compromised accounts were ALL using the HT502 device
AND had WAN port access enabled to the device, and we as the provider
were locked out (admin password changed, no longer provisioning from us
on scheduled interval)
After some digging and conferring with Grandstream technical gurus it
was confirmed there was a buffer overflow vulnerability that would allow
a remote attacker to change the admin password WITHOUT rebooting the
device or otherwise having any administrative access to it. Once the
password was changed the attacker could log in with the new password and
complete control. On all versions prior to 1.0.5.10 the SIP credentials
could be extracted from the admin website with the "Download config"
option. On versions up to 1.0.8.4 the sip credentials were STILL
extractable from the telnet interface if the provisioning values were
known by the attacker.
All of these vulnerabilities are fixed in version 1.0.9.1. I encourage
you to test and deploy this version ASAP.
I am sending this out in a purely advisory capacity in the hopes that
education will prevent further monetary damages. Please feel free to
contact me on or off list if you want to know more about this issue.
-Ryan
More information about the VoiceOps
mailing list