ALERT Grandstream Backdoor

tbrummell

Guru
Joined
Jan 8, 2011
Messages
1,275
Reaction score
339
That link just goes to Grandstreams' GDMS propaganda page, got a more direct source for the issue?
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
EJ_SZUeXsAAnG5M
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
1,275
Reaction score
339
Well that's a fun little tidbit, isn't it. Not sure how I'd feel about that if I were a customer, but I bet the NSA *LOVES* it!
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
It's apparently baked into the firmware of every new Grandstream phone. But... there's a simple solution. Return here on Black Friday.
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
Appears to be mostly FUD.

I haven't tested every model, but a GXP2160 with the new firmware makes no off-net connections with the most basic changes:
  1. Change/Clear Config Server Path
  2. Change/Clear Firmware Server Path
  3. Change/Clear TR069 Server Path
  4. Disable Auto-Location Service
  5. Disable the Weather App
  6. Change the NTP Server
If you're not already doing the first three, then you don't care about security. Four, Five and Six are just good practice.

GS wants and promotes zero-config/out-of-the-box plug in and it works config. An argument could be made out of the box behavior could be different, maybe show an "Auto Configure" prompt instead.

If you choose to use GDMS, then you are choosing to trust the service.
 
Last edited:

Tonyclewis

Active Member
Joined
Apr 25, 2019
Messages
206
Reaction score
185
As the guy who made the comments on FB it for sure is not FUD. Grandstream after pushing them numerous times, admitted yes the phone has a constant connection back to them allowing their cloud system to real time to send commands to the phone.

You now have a phone on your LAN protected by what your thought was your firewall that can now do whatever it wants on your network from their cloud system including starting a PCAP using web socket connections from their cloud system. How is this not scary.

On top of that their defense was but nobody in Grandstream has access to your cloud system that you setup. That is also not comforting. It’s their software, running on their cloud stack. Of course they have access to it and can do anything they want or imagine they get hacked or when the inevitable security vulnerability is found on the cloud system.

All new firmware from them supports this feature when paired with their Cloud manager system.
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
Then don't use GDMS - problem solved.

I don't think there was anything to admit - TR-069 is intended to be bi directional. What you seem to be surprised about is expected behavior in my view.

Using any 3rd party provisioning already requires trusting them with every setting on the phone down to firmware. Again, if you choose to use GDMS, you choose to trust the service. If you don't trust it, the benefits don't out weigh the risks, etc, then clear the config server paths.

Once the config paths are cleared and web apps are disabled, the phone is silent. It does not connect to anything not configured.
 

Members online

Forum statistics

Threads
25,778
Messages
167,504
Members
19,198
Latest member
serhii
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top