Sjur Usken

Views on new technologies and business opportunities from Sjur Usken

The SIP Digest leak

There is a security flaw that makes a VoIP adapter send out its password. How serious is this flaw?

Sandro Gauci demonstrated on this video how a voip analog adapter sends the credentials to the other ringer. This is a lab setup, but still possible in the real world.

First, you need should be sending the traffic from the SIP Registrar (but a lot of user-agents works to send directly as well). Most VoIP SIP user-agents only accepts SIP messages from the SIP Registrar they are connected up to. Either fake the packets from the SIP Registrar, but be in-line of the traffic to receive the response, or get a real account on the SIP Registrar/Proxy and hope they do not filter these messages.

Second, you need to know the extension. This could be all from a 3-digit number, to a user name with numbers and letters of varying length.

Third, the password you receive is encrypted with MD5. You will need to brute-force this. If it is below 8 digits/letters, this is really no problem for todays computer.


Yes it is possible, but it does take some time and several requirements must be met. The easiest way is still (IMHO) to sniff the hourly REGISTER message (which contains the same MD5 hashed password).


Just tested this on Linksys SPA2100, Grandstream GXV3000 and Fritz7270(in LAN client mode) and it worked to get the password from all of them. This is bad… really bad… further updates are coming..


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: