Back on August 22nd, Radu State from the Madynes research group in France posted a security advisory to the VOIPSEC mailing list, “Remote eavesdropping with SIP Phone GXV-3000“. He also posted it to full-disclosure and several other lists. As he writes:
While playing with the SIP Madynes stateful fuzzer, we have realized that some SIP stack engines have serious bugs allowing to an attacker to automatically make a remote phone accept the call without ringing and without asking the user to take the phone from the hook, such that the attacker might be able to listen to all conversations that take place in the remote room without being noticed.
The Madynes team also included the perl exploit script in the advisory as well, enabling someone wishing to test this to easily execute the attack. They indicate that they have found this vulnerability in several SIP stacks and that they can disclose the vulnerability with the Grandstream phone as Grandstream was apparently notified of this issue back in May. They indicate that “fixed software will be available from the vendor” – however as of today, Grandstream’s firmware page is still showing the same load as that found to be vulnerable by the researchers. Unless I missed it, I can’t seem to find any page on Grandstream’s site dealing with security issues.
The reason I mention this here, partly, is because the issue was slashdotted, based on the SÃ»nnet Beskerming article “Listen to SIP Phones Even When They are on the Hook“.
If you use Grandstream phones, I would suggest you should be contacting Grandstream to find out when a fix may be available. If you a producer of SIP phones, you might want to have a look at the exploit, which seems to be fairly straightforward, and see if your phones are vulnerable.