Skip to main content
Sandro Gauci

Sandro Gauci, Enable Security

How to turn a Grandstream SIP phone into a remote bug

Published on Aug 24, 2007 in ,

The “Institut National de Recherche en Informatique” has done it again. They released details of their research regarding the Grandstream GXV-3000 SIP phone - specially on a bug that allows one to crash the phone, and set it off the hook without ringing. This last exploit effectively turns such phones into a spying device, allowing crooks and other evil entities to discretely listen on conversations in a room where the phone is installed.

Apparently, it is not just these Grandstream devices that are vulnerable to the same attack, but it affects “some SIP stack engines”. The trick is to send a “183 Session Progress” SIP message to the phone following an INVITE request, which in turn makes it go all fuzzy and start sending RTP packets to the attacker. The full-disclosure post further illustrates this with a example code in perl.

Meanwhile, all this wouldn’t have been possible for the Institute without using their SIP stateful fuzzer. The paper presenting this project can be found here. Least that I can say is that this is very cool stuff.

Sandro Gauci

Sandro Gauci

CEO, Chief Mischief Officer at Enable Security

Sandro Gauci leads the operations and research at Enable Security. He is the original developer of SIPVicious OSS, the SIP security testing toolset. His role is to focus on the vision of the company, design offensive security tools and engage in security research and testing. Therefore, he is the proud owner of the title of Chief Mischief Officer at Enable Security.

He offers public office hours and is reachable here.