Grandstream Phone Vulnerability Security Issue Remote Backdoor Connection to 207.246.119.209:3478

Have you checked your router/firewall logs and disconcertingly see connections to an unknown IP 207.246.119.209:3478 from your Grandstream VOIP phones?

You're not alone and the Grandstream forums have discussed this issue.

However, even their own staff do not seem to be aware or are not disclosing what this connection is.

It is Grandstream's GDMS.cloud UCM Remote connect feature

This is the establishment to the STUN server and you can find their list of servers/info here.

It allows you to remotely provision and manage your devices and is enabled by default at least on later/newer firmware versions.  While this is a great feature and helpful for provisioning, it is still concerning since there is no obvious warning or disclosure on this when purchasing the phone.  It represents a huge tradeoff of security/privacy vs convenience.

The concern is that Grandstream, the government and hackers could potentially compromise your phone, your calls and even your network is it is essentially a back door to your network despite being on a protected LAN and firewall.  Others share the same concern here: https://www.voip-info.org/forum/threads/grandstream-backdoor.24096/

 

How To Disable The Remote 3478 Connection

Under "Advanced Settings" -> Enable TR-069 disable it by setting to to "No" and then click "Apply".

 

Manual Edit Cannot Disable

You can remove the P8209 entry or make it null or change it, and upload the config file, but the firmware seems to just default back and re-enable the STUN server.  The only solution is to block any DNS lookups to that host and block all traffic to that UDP port.


Tags:

grandstream, vulnerability, backdoor, router, firewall, logs, disconcertingly, connections, ip, voip, forums, disclosing, gdms, ucm, feature, establishment, stun, server, servers, info, allows, remotely, provision, devices, enabled, default, newer, firmware, versions, concerning, disclosure, purchasing, disabled, admin, config, entry, null, upload, enable, dns, lookups, udp,

Latest Articles

  • How To Add Windows 7 8 10 11 to GRUB Boot List Dual Booting
  • How to configure OpenDKIM on Linux with Postfix and setup bind zonefile
  • Debian Ubuntu 10/11/12 Linux how to get tftpd-hpa server setup tutorial
  • efibootmgr: option requires an argument -- 'd' efibootmgr version 15 grub-install.real: error: efibootmgr failed to register the boot entry: Operation not permitted.
  • Apache Error Won't start SSL Cert Issue Solution Unable to configure verify locations for client authentication SSL Library Error: 151441510 error:0906D066:PEM routines:PEM_read_bio:bad end line SSL Library Error: 185090057 error:0B084009:x509 certif
  • Linux Debian Mint Ubuntu Bridge br0 gets random IP
  • redis requirements
  • How to kill a docker swarm
  • docker swarm silly issues
  • isc-dhcp-server dhcpd how to get longer lease
  • nvidia cannot resume from sleep Comm: nvidia-sleep.sh Tainted: Linux Ubuntu Mint Debian
  • zfs and LUKS how to recover in Linux
  • [error] (28)No space left on device: Cannot create SSLMutex Apache Solution Linux CentOS Ubuntu Debian Mint
  • Save money on bandwidth by disabling reflective rpc queries in Linux CentOS RHEL Ubuntu Debian
  • How to access a disk with bad superblock Linux Ubuntu Debian Redhat CentOS ext3 ext4
  • ImageMagick error convert solution - convert-im6.q16: cache resources exhausted
  • PTY allocation request failed on channel 0 solution
  • docker error not supported as upperdir failed to start daemon: error initializing graphdriver: driver not supported
  • Migrated Linux Ubuntu Mint not starting services due to broken /var/run and dbus - Failed to connect to bus: No such file or directory solution
  • qemu-system-x86_64: Initialization of device ide-hd failed: Failed to get