Panoramisk / The VoIP druid 

When looking at the published SIP exploit over a Grandstream IP phone¹, one could quickly arrive to the conclusion this was more a feature than a bug, for what purpose is the real question to be asked.
The exploit schematic² is really simple and SIP text message format ease these kind of attacks, but also our comprehension:

What we can see is that a 183 message is sent back to the phone but the session hadn’t been confirmed (when user hooks up) by an OK message. The 183 message is described in the RFC3261 as

The 183 (Session Progress) response is used to convey information
about the progress of the call that is not otherwise classified.  The
Reason-Phrase, header fields, or message body MAY be used to convey
more details about the call progress.
 

We are talking here about the « call progress », not the call established. So why pushing the RTP flow afterwards, it is a very strange reaction in the process itself, isn’t it?

This is the reason why I do not think it is a bug, maybe a side effect. We will probably never know.

Anyway, in order to avoid such exploit, not the attack itself since the code could be present, the best thing if probably to turn on the security features around SIP: TLS for the SIP transport with certificates and SRTP for the voice transport. These are not yet fully implemented on most equipments but it is the only way to quickly avoid such bad publicity and continue the adoption of VoIP.

1. see slashdot for example [↩]
2. see “Remote eavesdropping with SIP Phone GXV-3000” [↩]