Security Concerns with Trixbox

Trixbox is a popular platform that packages our PBX application on top of Asterisk on a CentOS based distribution. There has been some recent news concerning bad security practices and potential privacy issues. In the best interest of all of our installed base, it is our hope that Fonality, the sponsors of Trixbox, will actively contact their installed base to make them aware of this serious security issue which could significantly compromise customer systems if not addressed quickly.

The privacy issues that are being discussed are not the topic of our concern and are between Fonality and their customer base. Our concern is the mechanism that they have used to implement the phone home solution. You can read details in this Trixbox thread as well as other discussions on their forum and elsewhere.

The summary of the issue is they have installed a cron job which contacts the Fonality servers on a nightly basis, downloads a set of commands, executes those commands as root, and then sends data back to the their servers. In the wrong hands, this becomes a trojan horse and the magnitude of disaster that it could create if their servers were compromised from outside or from disgruntled employees, or from compromised DNS servers (man in the middle) is immense.

In the above thread it is mentioned that FreePBX phone’s home as well. Instead of splitting hairs over definitions, let me make it perfectly clear what FreePBX does. Most of you are aware of our Online Module Repository that provides easy updates to new versions of FreePBX and its modules (vs. pulling tarballs manually). When you access our server, we transmit the following information: FreePBX and Asterisk version numbers and a unique identification number that is generated at installation time and can not be traced back to you. We generate this number by taking an md5sum hash of your MAC address. If you are running in a virtual environment such as a VMware or Xensource system we create the hash randomly. (We generate this so we don’t have to use IP addresses which can often be traced back to you, or when dynamic, doesn’t allow accurate information to be kept.) We use this information to properly serve your upgrades as we need to know what version of FreePBX you are running. In addition, we use this information to help us during beta programs. You may recall the statistics that I fed back to you during the FreePBX 2.3 Beta program that helped us gauge the level of beta and Asterisk 1.4 coverage. The Asterisk and FreePBX version statistics also helps us make good development decisions to serve our customer base.
This information is transmitted when you click on Check for Updates Online or nightly if you have chosen to have updates checked for you. (The nightly checks execute the exact same code as the manual check, there is no difference).
If we ever wanted to obtain more detailed information about your system, it would be an opt-in only basis, the code would be there for you to see and we would never implement something that could pull arbitrary commands from a server just waiting to be compromised.

If there are any questions or concerns with FreePBX, please start the discussion in the Forum or contact me offline.

Philippe - On behalf of the FreePBX Team

Philliple - thanks for addressing the issue. We started to move away from trixbox/a@h as soon as Fonality started showing us there green-colered glasse$. Boy are we glad we did! Many of our clients are medium to large business that have there own IT staff. I cant imagine how I would explain to any IT manager why his packet sniffing program is showing personal and sensitive information being pass in plain text across his network, and across the internet.
Thanks for pointing out what information FreePBX mines. Personally, I think that the little, little bit of anonymous statistics is the very least I can "give" back to FreePBX.

for addressing this major concern so quickly. Once again we are allowed to take a deep breath of relief that we are using only FreePbx and * as our VOIP telephony solution.

Keep up the good work!

the data is encrypted - not nice of them to do that without telling anyone, but some people seem to be taking advantage and dropping bombs over spilled milk.

  • Of course it has the potential to be much more, but really - does it deserve 10 pages of bad publicity on every voip forum on this planet.

I only wish they hadn’t tried equating your FreePBX update system with their own ill-conceived unauthorized back-door root access. I wish them much happiness as I continue to enjoy FreePBX without all the extra “features” of trixbox!