Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux-Based Phone System Phones Home

Posted by kdawson on from the hard-to-keep-secrets-when-they-can-read-the-code dept.

An anonymous reader writes to let us know that users of Trixbox, a PBX based on Asterisk, recently discovered that the software has been phoning home with statistics about their installations. It's easy enough to disable, and not particularly steathy (beyond encrypting the data sent back), but customers in the forum are annoyed at not having been informed of the reporting. Trixbox is owned by Fonality, which makes customized PBXs (again based on Asterisk) for paying customers.

6 of 164 comments (clear)

  1. Trick Box by Deathanatos · · Score: 5, Funny

    A product named Trixbox is really a box of tricks...

    1. Re:Trick Box by Anonymous Coward · · Score: 5, Informative

      I tried out Trixbox Pro not that long ago but was really turned off by their premise that you must have Internet access to properly configure your server (my VoIP server is NOT on the Internet nor will I do so for privacy and security reasons!). And their appliance is expensive and still needs Internet connectivity. While their old-school Trixbox CE product doesn't have this limitation development on it has slowed down despite their claims of "it's still in development, really!".

      AsteriskNOW isn't ready for prime-time yet, though it shows promise long-term.

      If you don't want to compile Asterisk yourself and yet you still want to use FreePBX (and you really should!), I highly recommend you check out Nerd Vittles, http://www.nerdvittles.com/ instead -- everything that Trixbox CE could have been.

  2. Security Vuln by Anonymous Coward · · Score: 5, Informative

    The issue here is not just the fact that it is phoning home - it is the method in which it is done. This has been reported as a security vulnerability to the voipsec mailing list. http://voipsa.org/pipermail/voipsec_voipsa.org/2007-December/002522.html

  3. I used to be the lead developer.. by Rob+from+RPI · · Score: 5, Informative

    And I'm somewhat annoyed by KerryG's assertion that "Both trixbox and FreePBX have phone-home mechanisms in them." Now, admittedly, I relinquished FreePBX at the beginning of this year due to personal commitments, but I have ALWAYS been dead against 'phone home' information. We DID have a rough idea of how many machines were actively being maintained by the 'hits' on the modules.xml file that contains the current version of all the modules and download links for it. That's it.

    The only other slightly information-divulging bit of information was the built-in IRC client did a 'uname -n' and specified what distro the client was running. It broadcast that in a 'notice' to the FreePBX channel. This was highlighted on the IRC page, with exactly what would be sent.

    FreePBX has NEVER 'phoned home'. I would be amazingly upset if it was doing so now. Trixbox, on the other hand, may do that, but please do NOT link the FreePBX project with it.

    --Rob

    --
    Schlock Mercenary.
  4. Re:eh? by arth1 · · Score: 5, Insightful

    So it's sending back some generic data with no personal information so they can do a best estimate of where they need to be spending their time.

    What's the problem here?


    First of all, your claim isn't true. Here's what it currently sends back the output of:

    /usr/bin/perl /var/adm/bin/recognition.pl
    /bin/uname -r
    /bin/rpm -q -a
    /sbin/lspci -vn
    /usr/sbin/dmidecode
    /usr/sbin/wanrouter version
    /usr/sbin/wanrouter hwprobe verbose
    /usr/sbin/asterisk -V
    /bin/cat /etc/redhat-release
    /bin/cat /etc/trixbox/trixbox-version
    /bin/cat /etc/trixbox/.regData
    Note that it sends the registration data on every request. Which means the other data isn't anonymous.

    But, and this is much more alarming, it also can execute arbitrary commands. It connects to the remote server, asks it what to execute, and then executes it. That's VERY scary, no matter what is currently collected. Imagine a hacker getting access to the server customers connect to.

  5. Mod parent up by Fnord666 · · Score: 5, Informative

    This is a key point. A cron entry runs a process on the PBX every 24 hours that connects out to trixbox and picks up an arbitrary list of commands. It executes those commands (under whatever authorities it wss installed with) and returns the results. Sure hope their server is up to date on patches. That assumes DNS sent back the right server to begin with and not a spoofed site with a "different" set of commands.
    In what universe does this seem like a good idea?

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables