The SIP Digest leak
March 22, 2009
Posted by on
There is a security flaw that makes a VoIP adapter send out its password. How serious is this flaw?
Sandro Gauci demonstrated on this video how a voip analog adapter sends the credentials to the other ringer. This is a lab setup, but still possible in the real world.
need should be sending the traffic from the SIP Registrar (but a lot of user-agents works to send directly as well). Most VoIP SIP user-agents only accepts SIP messages from the SIP Registrar they are connected up to. Either fake the packets from the SIP Registrar, but be in-line of the traffic to receive the response, or get a real account on the SIP Registrar/Proxy and hope they do not filter these messages.
Second, you need to know the extension. This could be all from a 3-digit number, to a user name with numbers and letters of varying length.
Third, the password you receive is encrypted with MD5. You will need to brute-force this. If it is below 8 digits/letters, this is really no problem for todays computer.
Yes it is possible, but it does take some time and several requirements must be met. The easiest way is still (IMHO) to sniff the hourly REGISTER message (which contains the same MD5 hashed password).
Just tested this on Linksys SPA2100, Grandstream GXV3000 and Fritz7270(in LAN client mode) and it worked to get the password from all of them. This is bad… really bad… further updates are coming..