Skip to content

Secure FreePBX ChanSpy

By default, ChanSpy is enabled, and can be used by anyone, yes, anyone, who is logged in to a FreePBX system.

ChanSpy is exactly that, it allows you to spy on other calls, this is a supervisor function, but Sangoma do not allow you to configure a password out of the box to secure it within FreePBX, instead, they want to sell you a commercial module (class of service) that in Australia, is about $145, that will apparently allow you to set one, they do not care about your privacy breaches, after all it's YOU that will be prosecuted, not Sangoma, it amazes me Sangoma wont take action, or, never protected it in the first place when this gaping invasion of privacy was first brought to their attention - several years ago going by their forums.

But fear not, if ChanSpy is enabled on your system and you can't disable it, there is a free 10 second fix.

When I install FreePBX I disable ChanSpy, but I include the code below anyway because sometimes it may be required, I'm also not to know that if someone enables ChanSpy, that they'll remember to disable it. I've also come across FreePBX's that I have not installed where, as I mentioned, by default, it is active, because the installer didn't know better. This is actually why I am writing this blog post, to make people aware of a serious flaw that Sangoma know about but seem to not want to fix.

A lot of big businesses use ChanSpy or its equivalent on commercial systems as most of them also have this ability, and have done for a long time, remember all those calls you made that told you your call might be monitored for quality or training purposes? That's exactly what they are doing. All it takes is for someone mucking about to find it active, to breach yours, your staffs, and your callers privacy, are you a manager? CEO? Imagine your employees monitoring your personal calls.

But - there is an edit to a configuration file that will secure it, the downside is, it is a manual edit every time you need to change it.

I suggest anyone responsible for a FreePBX or other asterisk server, logs in as the root user, and edit -

/etc/asterisk/extensions_override_freepbx.conf

inserting this one line, replacing somepassword with a PIN number

exten => 555,1,Authenticate(somepassword)

then restart the system by issuing

fwconsole restart

That's it, so damn simple, yet for years Sangoma ignore it, probably because they can make more money off you buying a commercial module to set it, and yes, I do have an open ticket, like I suspect others have over the years, that's just sitting there un-responded.

You'd think in an era where the EU's GDPR is legally enforceable around the globe, Sangoma would get off their arse and fix it.

This I guess in one of the serious problems you have when an open source project is bought out and controlled by, a money hungry business who specialises in selling commercial modules for that open source project.

I recommend that if you discover your system needs this fixed, you fix it immediately, and then spend a few minutes letting Sangoma know (politely) this needs to be fixed urgently, by creating an account if you don't already have one, and opening a ticket


FreePBX and Asterisk although both Open Source, are Registered Trademarks of Sangoma Technologies

  • Twitter
  • Facebook
  • Google Bookmarks
  • Bookmark Secure FreePBX ChanSpy at YahooMyWeb
  • Bookmark Secure FreePBX ChanSpy at reddit.com
  • Bookmark using any bookmark manager!
  • Print this article!
  • E-mail this story to a friend!

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Form options

Submitted comments will be subject to moderation before being displayed.