Linux-Based Phone System Phones Home

An anonymous reader writes to let us know that users of Trixbox, a PBX based on Asterisk, recently discovered that the software has been phoning home with statistics about their installations. It's easy enough to disable, and not particularly steathy (beyond encrypting the data sent back), but customers in the forum are annoyed at not having been informed of the reporting. Trixbox is owned by Fonality, which makes customized PBXs (again based on Asterisk) for paying customers.

Trick Box

[Deathanatos]

A product named Trixbox is really a box of tricks...

Re:Trick Box

I tried out Trixbox Pro not that long ago but was really turned off by their premise that you must have Internet access to properly configure your server (my VoIP server is NOT on the Internet nor will I do so for privacy and security reasons!). And their appliance is expensive and still needs Internet connectivity. While their old-school Trixbox CE product doesn't have this limitation development on it has slowed down despite their claims of "it's still in development, really!".

AsteriskNOW isn't ready for prime-time yet, though it shows promise long-term.

If you don't want to compile Asterisk yourself and yet you still want to use FreePBX (and you really should!), I highly recommend you check out Nerd Vittles, http://www.nerdvittles.com/ instead -- everything that Trixbox CE could have been.

So?

[brad-x]

The initial setup at the web GUI makes it apparent that it wants to send stats back to home-base. How this can take people by surprise is baffling.

Re:So?

[syousef]

The initial setup at the web GUI makes it apparent that it wants to send stats back to home-base. How this can take people by surprise is baffling. ...because of course you have read every word of every screen of every version of every installer you've ever used, and never just glossed over any detail. What's baffling is that comments like this get modded up.

Re:So?

[QuantumG]

Well that's your own stupid fault then isn't it?

Re:So?

[insertwackynamehere]

If it really bothers you this much when usage stats are collected, then you can't really gloss over things like the TOS and EULA... you can't have it both ways.

eh?

[LingNoi]

So what does it actually do? Let me explain. We are only looking at the number of phones (and types) that are connected to a system.

So it's sending back some generic data with no personal information so they can do a best estimate of where they need to be spending their time.

What's the problem here?

Re:eh?

[arth1]

So it's sending back some generic data with no personal information so they can do a best estimate of where they need to be spending their time.

What's the problem here?

First of all, your claim isn't true. Here's what it currently sends back the output of:

/usr/bin/perl /var/adm/bin/recognition.pl
/bin/uname -r
/bin/rpm -q -a
/sbin/lspci -vn
/usr/sbin/dmidecode
/usr/sbin/wanrouter version
/usr/sbin/wanrouter hwprobe verbose
/usr/sbin/asterisk -V
/bin/cat /etc/redhat-release
/bin/cat /etc/trixbox/trixbox-version
/bin/cat /etc/trixbox/.regData

Note that it sends the registration data on every request. Which means the other data isn't anonymous.

But, and this is much more alarming, it also can execute arbitrary commands. It connects to the remote server, asks it what to execute, and then executes it. That's VERY scary, no matter what is currently collected. Imagine a hacker getting access to the server customers connect to.

Security Vuln

The issue here is not just the fact that it is phoning home - it is the method in which it is done. This has been reported as a security vulnerability to the voipsec mailing list. http://voipsa.org/pipermail/voipsec_voipsa.org/2007-December/002522.html

This about says it all

[sjames]

From the forum:

The point is that people should have been given a means to easily opt-out of the data collection process which is something we totally overlooked and in seeing the reaction we realize that this was a big mistake on our part. While it is pretty trivial for anyone with basic linux knowledge to disable it, the issue is that a) we didnt inform people well and b) we didn't make it easy to turn off. We thank you for your support on this but anytime there is a more than a few people complaining about something it means we missed the mark on it. So, as a team and a company we fix it and learn from it. -- Kerry Garrison trixbox Community Director

I used to be the lead developer..

[Rob+from+RPI]

And I'm somewhat annoyed by KerryG's assertion that "Both trixbox and FreePBX have phone-home mechanisms in them." Now, admittedly, I relinquished FreePBX at the beginning of this year due to personal commitments, but I have ALWAYS been dead against 'phone home' information. We DID have a rough idea of how many machines were actively being maintained by the 'hits' on the modules.xml file that contains the current version of all the modules and download links for it. That's it.

The only other slightly information-divulging bit of information was the built-in IRC client did a 'uname -n' and specified what distro the client was running. It broadcast that in a 'notice' to the FreePBX channel. This was highlighted on the IRC page, with exactly what would be sent.

FreePBX has NEVER 'phoned home'. I would be amazingly upset if it was doing so now. Trixbox, on the other hand, may do that, but please do NOT link the FreePBX project with it.

--Rob

Re:I used to be the lead developer..

[Rob+from+RPI]

Note for those who may have missed the point of my post: Trixbox is Centos + Asterisk + FreePBX + a couple of other things. It's just a bundle of various open source applications on a CD. The main parts of Trixbox are Asterisk and FreePBX, with CentOS as the OS and kernel.

So, when someone mistakenly says 'trixbox does...' they usually mean 'freepbx does...' as FreePBX is the GUI Trixbox uses to configure Asterisk.

--Rob

Re:Stats are useful

[ScrewMaster]

Nah ... it's just that people don't bother to read what's in front of them. Had there been a big blurb during the software install that proclaimed "we collect anonymous usage statistics" nobody would have cared, but because it wasn't made sufficiently obvious people think there's something devious going on.

Mod parent up

[Fnord666]

This is a key point. A cron entry runs a process on the PBX every 24 hours that connects out to trixbox and picks up an arbitrary list of commands. It executes those commands (under whatever authorities it wss installed with) and returns the results. Sure hope their server is up to date on patches. That assumes DNS sent back the right server to begin with and not a spoofed site with a "different" set of commands.
In what universe does this seem like a good idea?

Re:Mod parent up

[grcumb]

This is a key point. A cron entry runs a process on the PBX every 24 hours that connects out to trixbox and picks up an arbitrary list of commands. It executes those commands (under whatever authorities it wss installed with) and returns the results.

What a terrible design! I worked for a couple of years on a FOSS product whose commercial version phoned home by design. It was a small server that allowed remote configuration changes via our NOC. The idea was to provide basic systems admin functionality for multiple geographically dispersed servers. Man-in-the-middle attacks - in either direction - were one of the primary concerns, second only to the privacy of the customer.

We vetted every byte, incoming or outgoing; we worried constantly about both sides of the the authentication process, addressed DNS poisoning and coped properly with pwned clients as well. We never ever passed anything but text between the server and the NOC. Even anti-virus signature updates were performed out-of-band with the 'phone-home' process.

Allowing execution of arbitrarily defined scripts is a disaster in the making. The trust model is entirely wrong, for one thing. I understand now why the manufacturer didn't want to talk about, because no sysadmin in his right mind[*] would accept that someone outside the organisation should ever have the right to run arbitrary code on their boxes without prior vetting.

*****

[*] Unfortunately, 'sysadmins in their right mind' is a far-too-small subset of all sysadmins....

Make your own Linux-based PBX system

[compumike]

We did it ourselves and saved >$100/month for a small business. Just use Asterisk (free and open source), buy some inexpensive but full-featured phones like the Grandstream GXP-2000 (about $80 each), and get a termination provider like VoicePulse Connect for Asterisk ($11/month for four simultaneous channels, free incoming, and below $0.01/min for most outgoing). It took some work to get it all set up and working properly, but now is actually more reliable than the analog phones ever were. (We had phone company issues every few months... just awful.)

--
Educational microcontroller kits for the digital generation.

Um

[Gordo_1]

Did anyone bother to notice that your mobile and landline phone companies know *WAY* more about you than this program could ever hope to collect? I mean, these guys bill you for every call you make, know exactly who you're calling and for how long, have been known to allow just about anyone in law enforcement to wiretap your line for even the flimsiest premise, yet the Slashdot crowd is more concerned with an open-source-based PBX collecting some high-level meta-data from users in an opt-out fashion?

Re:Um

[Minupla]

Hrm, last time I checked, my phone company was unable to open a tunnel from the internal side of my corporate firewall back to them. Since the script allows them to execute *any* command and most people put their PBX inside their most secure corporate network segment, this would prove to be an issue. Leaving beside for the moment the issues of DNS poisoning, and someone hijacking the script.

Min.