[VoiceOps] NOTICE: To all providers using the Grandstream HT502/HT503

Ryan Delgrosso ryandelgrosso at gmail.com
Wed Feb 6 17:34:57 EST 2013

Plausible since I see a firmware release for the same and based on my 
experience they largely share the same codebase.

On 02/06/2013 02:29 PM, Erik Flournoy wrote:
> Hey do you know if that affcts the GXW as well?
> Erik Flournoy
> 808-426-4527
> 301-218-7325
> This e-mail message, including any attachments from EESPRO.com - 
> contain information which is CONFIDENTIAL AND/OR LEGALLY PRIVILEGED. 
> The information is intended only for the use of the individual named 
> above and may not be disseminated to any other party without written 
> permission. If you are not the intended recipient, or the employee or 
> agent responsible for delivering the message to the intended 
> recipient, you are hereby notified that any dissemination, disclosure, 
> distribution, copying or taking of any action in reliance on the 
> contents of this e-mailed information is strictly prohibited. If you 
> have received this transmission in error, please immediately notify 
> info at eespro.com <mailto:info at eespro.com>, and permanently delete this 
> e-mail and the attachments hereto, if any, and destroy any printout 
> thereof.
> On Wed, Feb 6, 2013 at 12:15 PM, Ryan Delgrosso 
> <ryandelgrosso at gmail.com <mailto:ryandelgrosso at gmail.com>> wrote:
>     All,
>     Over the last few months we have uncovered a vulnerability in the
>     HT502 that allows for theft of credentials from customer devices.
>     I am sending this out since the issue has now been resolved in a
>     new release of firmware BUT Grandstream have NOT sent out any kind
>     of pro-active notifications nor included this fix in their release
>     notes for this build. After conferring with some other sizable
>     providers also using this device at scale, they were able to
>     "connect the dots" on their up-tick in fraud based on our discovery.
>     First some history:
>     We currently have over 50,000 deployed HT502's in active customer
>     service.
>     Beginning in December we saw an immediate and sizable up-tick in
>     fraud by easily an order of magnitude.
>     Statistical analysis of the fraud showed the ONLY linking factor
>     to be the fact that the compromised accounts were ALL using the
>     HT502 device AND had WAN port access enabled to the device, and we
>     as the provider were locked out (admin password changed, no longer
>     provisioning from us on scheduled interval)
>     After some digging and conferring with Grandstream technical gurus
>     it was confirmed there was a buffer overflow vulnerability that
>     would allow a remote attacker to change the admin password WITHOUT
>     rebooting the device or otherwise having any administrative access
>     to it. Once the password was changed the attacker could log in
>     with the new password and complete control. On all versions prior
>     to the SIP credentials could be extracted from the admin
>     website with the "Download config" option. On versions up to
> the sip credentials were STILL extractable from the telnet
>     interface if the provisioning values were known by the attacker.
>     All of these vulnerabilities are fixed in version I
>     encourage you to test and deploy this version ASAP.
>     I am sending this out in a purely advisory capacity in the hopes
>     that education will prevent further monetary damages. Please feel
>     free to contact me on or off list if you want to know more about
>     this issue.
>     -Ryan
>     _______________________________________________
>     VoiceOps mailing list
>     VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>
>     https://puck.nether.net/mailman/listinfo/voiceops

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20130206/558e677d/attachment.html>

More information about the VoiceOps mailing list