Linux-Based Phone System Phones Home

An anonymous reader writes to let us know that users of Trixbox, a PBX based on Asterisk, recently discovered that the software has been phoning home with statistics about their installations. It's easy enough to disable, and not particularly steathy (beyond encrypting the data sent back), but customers in the forum are annoyed at not having been informed of the reporting. Trixbox is owned by Fonality, which makes customized PBXs (again based on Asterisk) for paying customers.

Trick Box

A product named Trixbox is really a box of tricks...

Re:Trick Box

I tried out Trixbox Pro not that long ago but was really turned off by their premise that you must have Internet access to properly configure your server (my VoIP server is NOT on the Internet nor will I do so for privacy and security reasons!). And their appliance is expensive and still needs Internet connectivity. While their old-school Trixbox CE product doesn't have this limitation development on it has slowed down despite their claims of "it's still in development, really!".

AsteriskNOW isn't ready for prime-time yet, though it shows promise long-term.

If you don't want to compile Asterisk yourself and yet you still want to use FreePBX (and you really should!), I highly recommend you check out Nerd Vittles, http://www.nerdvittles.com/ [nerdvittles.com] instead -- everything that Trixbox CE could have been.

So?

The initial setup at the web GUI makes it apparent that it wants to send stats back to home-base. How this can take people by surprise is baffling.

Re:Stats are useful

Nah ... it's just that people don't bother to read what's in front of them. Had there been a big blurb during the software install that proclaimed "we collect anonymous usage statistics" nobody would have cared, but because it wasn't made sufficiently obvious people think there's something devious going on.

Re:So?

The initial setup at the web GUI makes it apparent that it wants to send stats back to home-base. How this can take people by surprise is baffling. ...because of course you have read every word of every screen of every version of every installer you've ever used, and never just glossed over any detail. What's baffling is that comments like this get modded up.

Re:So?

Well that's your own stupid fault then isn't it?

Re:So?

If it really bothers you this much when usage stats are collected, then you can't really gloss over things like the TOS and EULA... you can't have it both ways.

Is Microsoft Invading Slashdot?

from the hard-to-keep-secrets-when-they-can-read-the-code dept.

It sounds like Slashdot is advocating security through obscurity...

eh?

So what does it actually do? Let me explain. We are only looking at the number of phones (and types) that are connected to a system.

So it's sending back some generic data with no personal information so they can do a best estimate of where they need to be spending their time.

What's the problem here?

Re:eh?

So it's sending back some generic data with no personal information so they can do a best estimate of where they need to be spending their time.

What's the problem here?

First of all, your claim isn't true. Here's what it currently sends back the output of:

/usr/bin/perl /var/adm/bin/recognition.pl
/bin/uname -r
/bin/rpm -q -a
/sbin/lspci -vn
/usr/sbin/dmidecode
/usr/sbin/wanrouter version
/usr/sbin/wanrouter hwprobe verbose
/usr/sbin/asterisk -V
/bin/cat /etc/redhat-release
/bin/cat /etc/trixbox/trixbox-version
/bin/cat /etc/trixbox/.regData

Note that it sends the registration data on every request. Which means the other data isn't anonymous.

But, and this is much more alarming, it also can execute arbitrary commands. It connects to the remote server, asks it what to execute, and then executes it. That's VERY scary, no matter what is currently collected. Imagine a hacker getting access to the server customers connect to.

Security Vuln

The issue here is not just the fact that it is phoning home - it is the method in which it is done. This has been reported as a security vulnerability to the voipsec mailing list. http://voipsa.org/pipermail/voipsec_voipsa.org/2007-December/002522.html [voipsa.org]

Mod parent up

This is a key point. A cron entry runs a process on the PBX every 24 hours that connects out to trixbox and picks up an arbitrary list of commands. It executes those commands (under whatever authorities it wss installed with) and returns the results. Sure hope their server is up to date on patches. That assumes DNS sent back the right server to begin with and not a spoofed site with a "different" set of commands.
In what universe does this seem like a good idea?

Re:Mod parent up

This is a key point. A cron entry runs a process on the PBX every 24 hours that connects out to trixbox and picks up an arbitrary list of commands. It executes those commands (under whatever authorities it wss installed with) and returns the results.

What a terrible design! I worked for a couple of years on a FOSS product whose commercial version phoned home by design. It was a small server that allowed remote configuration changes via our NOC. The idea was to provide basic systems admin functionality for multiple geographically dispersed servers. Man-in-the-middle attacks - in either direction - were one of the primary concerns, second only to the privacy of the customer.

We vetted every byte, incoming or outgoing; we worried constantly about both sides of the the authentication process, addressed DNS poisoning and coped properly with pwned clients as well. We never ever passed anything but text between the server and the NOC. Even anti-virus signature updates were performed out-of-band with the 'phone-home' process.

Allowing execution of arbitrarily defined scripts is a disaster in the making. The trust model is entirely wrong, for one thing. I understand now why the manufacturer didn't want to talk about, because no sysadmin in his right mind[*] would accept that someone outside the organisation should ever have the right to run arbitrary code on their boxes without prior vetting.

*****

[*] Unfortunately, 'sysadmins in their right mind' is a far-too-small subset of all sysadmins....

This about says it all

From the forum:

The point is that people should have been given a means to easily opt-out of the data collection process which is something we totally overlooked and in seeing the reaction we realize that this was a big mistake on our part. While it is pretty trivial for anyone with basic linux knowledge to disable it, the issue is that a) we didnt inform people well and b) we didn't make it easy to turn off. We thank you for your support on this but anytime there is a more than a few people complaining about something it means we missed the mark on it. So, as a team and a company we fix it and learn from it. -- Kerry Garrison trixbox Community Director

I used to be the lead developer..

And I'm somewhat annoyed by KerryG's assertion that "Both trixbox and FreePBX have phone-home mechanisms in them." Now, admittedly, I relinquished FreePBX at the beginning of this year due to personal commitments, but I have ALWAYS been dead against 'phone home' information. We DID have a rough idea of how many machines were actively being maintained by the 'hits' on the modules.xml file that contains the current version of all the modules and download links for it. That's it.

The only other slightly information-divulging bit of information was the built-in IRC client did a 'uname -n' and specified what distro the client was running. It broadcast that in a 'notice' to the FreePBX channel. This was highlighted on the IRC page, with exactly what would be sent.

FreePBX has NEVER 'phoned home'. I would be amazingly upset if it was doing so now. Trixbox, on the other hand, may do that, but please do NOT link the FreePBX project with it.

--Rob

Re:I used to be the lead developer..

Note for those who may have missed the point of my post: Trixbox is Centos + Asterisk + FreePBX + a couple of other things. It's just a bundle of various open source applications on a CD. The main parts of Trixbox are Asterisk and FreePBX, with CentOS as the OS and kernel.

So, when someone mistakenly says 'trixbox does...' they usually mean 'freepbx does...' as FreePBX is the GUI Trixbox uses to configure Asterisk.

--Rob

Make your own Linux-based PBX system

We did it ourselves and saved >$100/month for a small business. Just use Asterisk [asterisk.org] (free and open source), buy some inexpensive but full-featured phones like the Grandstream GXP-2000 [grandstream.com] (about $80 each), and get a termination provider like VoicePulse Connect for Asterisk [voicepulse.com] ($11/month for four simultaneous channels, free incoming, and below $0.01/min for most outgoing). It took some work to get it all set up and working properly, but now is actually more reliable than the analog phones ever were. (We had phone company issues every few months... just awful.)

--
Educational microcontroller kits for the digital generation. [nerdkits.com]

Kerry already addressed this in his blog

Kerry has already addressed this in his blog:

http://www.trixbox.org/trixboxs-new-hardware-audting-tool [trixbox.org]

way out of proportion

"The whole story": this is not news and was actually publicized a long time ago, before it was actually put into use, however, several overly paranoid, overly dramatic people were only just made aware that it was happening, and all of a sudden it has become:

"my phone system is transmitting my credit card number to a multi-million dollar commercial entity who is only interested in robbing all the people who use its FREE software solution, because this established entity doesnt make any money on their commercial product that is $400-500 per port, which has thousands of installations world wide."

unfortunately they were lax in their notification of statistic gathering and did not place a 10 page EULA on the installer that users never read anyways.

FYI - the system collects hardware stats, such as what brand trunk card you use, which phones, and which server architecture, it does not transmit any actual usage stats, which would still be completely harmless. They then use these stats to get capital from the manufacturers of the hardware that these stats report on, which is used to fund development of this wonderful FREE PBX. This reporting is pretty close to plain site, and can be disabled, just the same as Automatic Updates on a Windows PC.

The concerning part, yes it calls for some code at the fonality data center - again - you can turn it off. If you are that much of a security geek, you should know how to use cron, or stay away from linux servers, chances are you will leave a whole open on something a lot more important then a phone system - would hate to think of how many people have leaked credit cards from shopping carts. the REALLY concerning part - this hole is being talked about on security forums like this.

Really if they dont like that, no one has forced them to use this FREE software, and they have paid no money out to expect anything more (although they should). Fonality now has a full Opt-in disclaimer so that people like this can know that their phone system could be sending vital information about which handset they use before they start.

Signed,
Someone who supports the development of FREE open source software.

Um

Did anyone bother to notice that your mobile and landline phone companies know *WAY* more about you than this program could ever hope to collect? I mean, these guys bill you for every call you make, know exactly who you're calling and for how long, have been known to allow just about anyone in law enforcement to wiretap your line for even the flimsiest premise, yet the Slashdot crowd is more concerned with an open-source-based PBX collecting some high-level meta-data from users in an opt-out fashion?

Re:Um

Hrm, last time I checked, my phone company was unable to open a tunnel from the internal side of my corporate firewall back to them. Since the script allows them to execute *any* command and most people put their PBX inside their most secure corporate network segment, this would prove to be an issue. Leaving beside for the moment the issues of DNS poisoning, and someone hijacking the script.

Min.

And now the obligitory MS Comment

If this were Microsoft or BLizzard you guys would be raising holy h3ll.
but since it's an "open source" tool it's
* not that big of a deal
* Shoulda been obvious to you n00b
* Duh Read the EULA

Hypocrites all

Linux needs something like Zone Alarm

This doesn't suprise me in the least.

It's another example of why Linux needs something like the functionality that Zone Alarm provides whereby an interactive user is always prompted before a program is allowed to connect to the internet. I for one do not want any program whatsoever to be able to connect to the outside world before I have expressly given my permission.

Give the way companies like Sony & Microsoft have behaved in the past vis a vis "phoning home" & rootkits etc. I no trust any program that tries to connect to the net.

There are starting to be far too many programs on Linux that do things like report statistics, go off to fetch cover art from Amazon etc. etc. Sorry but I am not going to blindly allow people to collect data on me or monitor my internet usage etc. etc. I actually value my privacy.

On which subject I'd also like to see the major desktop oriented distributions adopt a "nothing connects by default" standard for any desktop app they include in the distribution. Before a program can go to the internet the user should have to specifically say it can.

For a desktop user something like Zone Alarms would be ideal. First time an app tries to connect to the internet you're asked whether it can. You can then allow it permanently or temporarily or you can ban it permanently or temporarily. This might make it a slight pain to initially set up your desktop but I'd rather this than Joe Random Programmer being able to start pulling back stuff off my machine without permission.

This issue needs seriouly addressing by the Linux community now before we get something like a Sony rootkit fiasco.

And why yes I am paranoid, and history will prove the likes of me right (again).

Duh.

Okay, I'm not going to say this isn't a big deal, because it obviously is, but really- it's pretty damn obvious when you install it that it wants to be in constant communication with home-base. This really shouldn't be "news" to someone who has installed it. I do agree that they should do a much better job of informing people up-front that their product requires this. I installed Trixbox as a test. I've had an active Asterisk install going for over a year, and was looking for a simple interface my tech. support guy could deal with for phone moves. I wasn't impressed. There seemed to be a lot of unnecessary overhead and ties to Fonality's servers, and it just flat-out couldn't deal with my hardware configuration (multiple T1 and analog ports tied to an existing PBX). Frankly- it came off as something like "free for now", until you get tied to it and we decide to start charging for accessing our servers, which you have no choice but to do. There is a great book called: Asterisk - The Future of Telephony (get the 2nd edition, which makes the first look pretty sad). This is really all you need to get rolling with Asterisk. It's good to understand the config files and database integration possibilities, even if you later decide to go with something like FreePBX or AsteriskNow to make things easier. If you have a decent Linux background, Asterisk can be cake once you have a bit of education about how phone systems operate.

Our bias

OK folks, time to check our bias level here. If Sony installed a script that logged into their website and downloaded a list commands to execute on your system to "collect usage data" would we be impressed? I didn't think so. We were very much up in arms about the Sony Rootkit, and should be about this too.

So if an OSS project does the same why should be any less outraged? Its still a violation of any sort of professional ethics. It doesn't matter that the script is in clear text on the system, who here has the time to go through every script on a new installation of their favorite distribution?

We trust the package suppliers to disclose anything we need to know about. If that trust is breached we call them to task on it.

Well the trust has been breached in this case and the community needs to call the developer to task on it so that it's clear that this sort of behavior is unacceptable. I've read some comments that you're getting it for free. So it would be acceptable for Linus to start including arbitrary command execution backdoors into the kernel?

Remember the Trojan Horse didn't have a price tag attached either!

Min

Obligatory Simpsons Quote

Let's get you home to Frinky. M-hei.

Additional interesting articles about this issue

The folks at nerdvittles.com, an alternative asterisk distro, have weighed in on the subject with a blog post [nerdvittles.com] on how good of an idea this was. They provide a very succinct summary of their position in the following:

This clever software should have been reviewed by senior management before it ever saw the light of day. The episode gives all of us a golden opportunity to stop and think about what we're doing and what our fundamental obligations are to those who use our code. Hopefully, Fonality will turn this BOT off... permanently! The problem, of course, is that it's hard to unring a bell. This BOT is already in the wild. Luckily there's a very quick solution in this case. Here's the command that should be added to tomorrow morning's Fonality script: rm -f /var/adm/bin/registry.pl. We'll all sleep better.

The freePBX team has also commented [freepbx.org] on the issue. In short they want to make it clear that running arbitrary commands sent from the Fonality server is a trixbox/Fonality issue and has nothing to do with freePBX. FreePBX's "phone home" functionality is just a "check for updates" sort of thing.

In the above thread it is mentioned that FreePBX phone's home as well. Instead of splitting hairs over definitions, let me make it perfectly clear what FreePBX does. Most of you are aware of our Online Module Repository that provides easy updates to new versions of FreePBX and its modules (vs. pulling tarballs manually).

Of course if the modules are not digitally signed and verified, then a man in the middle attack is still possible and malicious versions of modules with a little "extra goodness" added could be sent to the pbx for automatic installation.

Trixbox is for...

...n00bs. I compiled Asterisk from source and feel like the flexibility is much greater.

tribox is a bad deal from the getgo

some of you might remember that trixbox started out as asterisk@home.

Ive run A@H 1 and 2 and even trixbox... and i must say... ever since KerryG and fonality took full control and essentially "killed" the A@H branding/identity/ethic/attitude the projec has gone seriously downhill.

Ive had run-ins with kerry before... and all ill say in this public forum is that the guy really isnt a positive influence.

The forking of the porject into CE and Commercial versions was only exacerbating the underlying shift towards an essentially exploitive distro. Requiring a internet connection to trixbox in order to configure your own box? requiring a user account on their site to configure what is obstensibly supposed to be open source based projects? Maybe these actions arent WRONG per say... but cetainly the ethics are questionable.

The truth is, ever since it went this way, ive actually decided NOT to upgrade my A@H 1.3 version. The bells and whistles arent really worth it.

Im hoping some other distro, or fork will come along that remains true to the principals they started with.

Its really sad to see, consdiering how excelent the work that went into A@H / trixbox is. These guys have done a wonderfull job packaging several complicated and time-consuming products together into an easy and accesable distro. However... somewhere along the way someone *cough* kerry *cough* fonality *cough* decided to push those efforts into LOCK-IN style profitability.

(theres nothing wrong with getting commercial support pacakges... but forcing people to sign up to your organization and forking a far less than active sub-version on your comomunity is an insult)

I believe Fonality PBX's are also vulnerable!

I have been trying to figure out why any competant engineer would architect a system this way. Then I thought, maybe they just are doing what an existing system already does. From looking at the registry.pl file, the URI contacted for the script differs based on the server ID and a fonality specific config file. It looks like there are three choices for the download URI, one is registry.trixbox.com (if the fonality config file is not present), but the others are proregistry.trixbox.com, or update.fonality.com, which look like the other fonality PBX products that are in the field today (Trixbox PRO and Fonality's proprietary system). This sure looks to me like this same process and terrible security architecture is used bt trixbox pro and fonality pbx's as well as trixbox CE. Yet, noone at Fonality has admitted this, much less issued a security advisory. I have posted a question to the fonality folks in the trixbox phones home thread, but no reply. Does the fonality user base realize how vulnerable they are? How many users put their PBX on a special firewalled network from their corporate systems? This looks like is it a far bigger problem than just trixbox. And why is Fonality not talking about the other platforms?

Trixbox/Fonality live reply Friday Dec 21 on VUC

http://voipusersconference.org/ [voipusersconference.org] for instructions on how to hear Fonality's response live and participate by asking questions or giving your opinion about this subject.

Re:ET...

ET phone home!

Don't you mean:

TB [trixbox.org] phone home!?

Re:First Paul!

You're actually wrong. They're only counting from 12:00am EST to 11:59pm EST.

Re:and so it begins

So the fact that software installed on Linux will do what it is programmed to do is a reason to migrate away from Linux? I will consider migrating to something else when there are known and exploited holes in the security which allow websites to arbitrarily install software without user permission. Until that, you just have to research what software does to stay safe, or only install software from known and trusted sources. But if you really want to migrate away, don't claim that you are doing it to stay secure: you are doing it because you cannot understand the details of problems, or because you can but just want to move away from Linux, since it is too popular for you.
And please, whatever you do, don't claim that "spyware and other malware" is beginning to show up on Linux - or, if you do want to tell people that, please remember to say that it is stuff which the user has to choose to install, not something which can be installed just be going to an infected website.

Re:and so it begins

a) This isn't malware and b) FreeBSD can run Linux apps for the most part so once malware encroaches Linux, a lot of *nix systems will be in potential trouble.

Re:and so it begins

now that Linux is becoming more popular [...] the countdown to my switch to FreeBSD started today,,,

Indie Rock Pete? [dieselsweeties.com] Is that you? ;-)

Re:ET...

How is this modded redundant? It's the first post with any content!

Re:Maybe the license is just too oppressive

Every time Microsoft decides to generate more revenue, they rob you just as if they had you at gunpoint.

Happy with 2k, which works pretty well? Sorry, we're moving everyone to XP, so we'll strong-arm the hardware vendors into XP-only drivers (which precludes the victim from buying new hardware WITHOUT buying XP), and, of course, the latest licenses for applications code will be XP-only, and, although it is quite illegal, we'll require you to use an MS-Windows OS to fetch updates, even for applications.

Happy with XP? Here comes Vista (not quite to the Vista-drivers-only stage, but it will happen).

Re:what? where's the rage?

Ok, IHBT and all that, but this has nothing to do with Linux. Linux just happens to be the OS the vendor chose for their product. I agree that this should be off by default, etc. (and several of the comments I've seen so far have said just that), but it's not the fault of Linux that Trixbox/Fonality designed their product that way. Nor would it be Microsoft's fault, had they chosen to use MS instead of Linux to build their system.

-Mike

Re:Maybe the license is just too oppressive

Nice work. Can I ask, do you get paid enough to live on for this?

Re:and so it begins

There is no mention currently in the GUI regarding stats being collected it was only after this feature was discovery was made has the developers promised to add this to GUI setup and have an opt in/out option.

My main concern is the system is checking for any new commands off their server to execute this is disturbing kerry didnt mention this feature in his blog when he came clean about the stats collection.

Hopefully there will be options to still transmit some statistics but still be able to disable remote code fetch feature.

Whilst I agree with your principle

When you wrote..

it would be good form to expand an acronym

and

I wouldn't cavalierly/arrogantly throw our TLAs at a large diverse audience

(emphasis mine)
were you being ironic or do you mean just the acronyms you haven't come across? :o)