Security Concerns with Trixbox

Trixbox is a popular platform that packages our PBX application on top of Asterisk on a CentOS based distribution. There has been some recent news concerning bad security practices and potential privacy issues. In the best interest of all of our installed base, it is our hope that Fonality, the sponsors of Trixbox, will actively contact their installed base to make them aware of this serious security issue which could significantly compromise customer systems if not addressed quickly.

The privacy issues that are being discussed are not the topic of our concern and are between Fonality and their customer base. Our concern is the mechanism that they have used to implement the [i]phone home[/i] solution. You can read details in [i][url=http://www.trixbox.org/forums/trixbox-forums/open-discussion/trixbox-phones-home]this Trixbox thread[/url][/i] as well as other discussions on their forum and elsewhere.

The summary of the issue is they have installed a cron job which contacts the Fonality servers on a nightly basis, downloads a set of commands, executes those commands as root, and then sends data back to the their servers. In the wrong hands, this becomes a [i]trojan horse[/i] and the magnitude of disaster that it could create if their servers were compromised from outside or from disgruntled employees, or from compromised DNS servers (man in the middle) is immense.

In the above thread it is mentioned that FreePBX [i]phone’s home[/i] as well. Instead of splitting hairs over definitions, let me make it perfectly clear what FreePBX does. Most of you are aware of our [i]Online Module Repository[/i] that provides easy updates to new versions of FreePBX and its modules (vs. pulling tarballs manually). When you access our server, we transmit the following information: FreePBX and Asterisk version numbers and a unique identification number that is generated at installation time and can not be traced back to you. We generate this number by taking an md5sum hash of your MAC address. If you are running in a virtual environment such as a VMware or Xensource system we create the hash randomly. (We generate this so we don’t have to use IP addresses which can often be traced back to you, or when dynamic, doesn’t allow accurate information to be kept.) We use this information to properly serve your upgrades as we need to know what version of FreePBX you are running. In addition, we use this information to help us during beta programs. You may recall the [url=/news/2007-08-23/freepbx-2-3-0-and-new-website-simultaneously-released]statistics[/url] that I fed back to you during the FreePBX 2.3 Beta program that helped us gauge the level of beta and Asterisk 1.4 coverage. The Asterisk and FreePBX version statistics also helps us make good development decisions to serve our customer base.
This information is transmitted when you click on [i]Check for Updates Online[/i] or nightly if you have chosen to have updates checked for you. (The nightly checks execute the exact same code as the manual check, there is no difference).
If we ever wanted to obtain more detailed information about your system, it would be an opt-in only basis, the code would be there for you to see and we would never implement something that could pull arbitrary commands from a server just waiting to be compromised.

If there are any questions or concerns with FreePBX, please start the discussion in the Forum or contact me offline.

Philippe – On behalf of the FreePBX Team

Are You Interested in a Training & Certification Course?

We have had numerous requests to put on a training seminar to provide deeper knowledge of FreePBX, General PBX maintenance and how to market and sell against the traditional providers. We are investigating doing such a multi-day training course and would like to know your interest in such. We have heard from users who have been to courses put on by other organizations that they would like to see something from us that takes it up a notch as well as focuses purely on the FreePBX based market (regardless of which Distro you choose to use). And we have also heard that you are looking for such a course that includes testing and certification to demonstrate your knowledge to your customers and employers.

So, we would like to hear from you if this is something you would like and would pay typical rates to attend? We are considering something in the March time frame if the response is positive but we need to know in advance if there is adequate interest to make commitments for hotel space and training rooms.

If you would like to attend, is there a preference in locations? We have considered locations such as Las Vegas, Chicago and Charlotte, NC.

Please let us know through responses to this post, we look forward to hearing what our community is looking for in this space?

Philippe – on behalf of the FreePBX team