26 July 2011

PortaOne Alerts Its Customers About Potential Grandstream HT502 and GXW-4008 Phone Vulnerability to Hackers’ Attacks

As the VoIP industry grows and the ITSP around the world rapidly expand their networks of customers, there is also an increase in fraudulent activity in VoIP. Attackers attempt to gain access to the ITSP network by using the credentials of legitimate customers, and then inject traffic to expensive destinations such as premium-rate telephone numbers and mobile networks in developing countries.

PortaSwitch provides carrier-grade security and it is impossible for an unauthorized party to obtain customer credentials except by guessing a password. That would require trying all possible text combinations (so-called “brute-force password cracking”), and since PortaSwitch auto-generated passwords are “strong” (contain at least 8 digits and do not contain any easy-to-guess text strings such as qwerty), the process of cracking the password would require an extremely high number of attempts.

There have been a few recent security incidents though, where attackers obtained the required credentials using a security weakness in end-user equipment such as IP phones. Many IP phones contain a built-in configuration web server, used to remotely manage phone settings. The Grandstream HT502 phone provides such a configuration web interface with access to this interface protected by an administrator password.

The default administrator password for this user interface is well-known, so if a phone with a default configuration is connected to the Internet using a public IP address, anyone (including an attacker) can log in there and see the configuration settings. As shocking as it may seem, the clear-text password is openly displayed on this interface along with the other required credentials (SIP proxy address and username). Therefore an attacker can immediately see the password and use it on any VoIP equipment they own.

Currently only Grandstream HT502 and GXW-4008 phones are confirmed to have this vulnerability – but hackers may use this approach to retrieve the credentials from any other end-user system (such as Asterisk server or Trixbox), where the default administrator login is either well known or not secure enough.

Customers are urged to:

  • Immediately review the activity of end-users using the affected models of phones
  • Check whether this problem may exist in other third-party IP phones used on your network
  • Use IP phone auto-provisioning tools in PortaBilling to allow easy management of IP phone configuration and eliminate the need for enabling the IP phone’s internal web-server
  • Ensure that the administrator’s default password for the phone’s built-in web interface is frequently changed (either using PortaSwitch phone auto-provisioning or manually)

In order to proactively fight VoIP fraud attempts, PortaOne is deploying additional tools to analyze suspicious activity on your network. These tools are available for all supported PortaOne customers running PortaSwitch MR21 or any later version as a part of PortaCare service at no extra cost.

Please contact the PortaOne support team for more details.



Toll-free calls (phone & Skype)
+1 866 747 8647
Calls & faxes from abroad:
+1 604 628 2508

PortaOne, Inc.
Suite 408, 2963 Glen Drive
Coquitlam, BC, V3B 2P7

Superb reliability and scalability with
24/7 professional technical support


Open architecture

PortaOne provides both APIs and source code for PortaSwitch to allow an easy integration

Scalability for growth

Our platforms can easily scale up by adding more servers to match your project success

Reliability and redundancy

Clustering and geo‑redundancy for high availability configuration and zero downtime updates

Agile development

PortaOne delivers more than 20 software builds per year - new features are available every 7 weeks

24/7 technical support

Over 60% of our 300 engineers are in the technical support services, praised as the best in industry
Our website uses cookies.
By continuing to use our website, you are agreeing to our cookie policy
Accept and close