Skip to content

Secure FreePBX ChanSpy

(Original post February 14 2021 updated)
By default, ChanSpy, a supervisor function that allows you to monitor
other peoples calls, is enabled and can be used by anyone, yes, anyone, who's phone is logged in to a FreePBX system that has this feature enabled.

Sangoma don't allow you to secure it out of the box, instead, they try sell you some commercial module (that in Australia is about $145) that allegedly sets a PIN.

Sangoma don't care about your privacy breaches, nor the GDPR or other regions equivalent, after all, it's YOU that will be prosecuted, not them (however an IT savvy lawyer might be able to, upon your conviction, use the courts to pass onus down on to Sangoma - and they will be held legally liable)

It amazes me Sangoma never protected it in the first place let alone wont take action to protect it when this gaping invasion of privacy was first brought to their attention - many years ago, going by their forums.

Update June 17, 2021: Sangoma have formally closed this security bug as will-not-fix, go buy our commercial module as per Lorne Gaetz...




But fear not, if ChanSpy is enabled on your system, and you can't disable it, there is a free and quick fix, without buying a commercial add-on.

When I install FreePBX I disable ChanSpy, but include the code below anyway, because sometimes it may be required, I'm also not to know that if someone enables ChanSpy, that they'll remember to disable it. I've also come across installs that I have not performed where ChanSpy is active because the installer didn't know better. This is why I am writing this article, to make people aware of this serious flaw that Sangoma know about, but will not fix.

A lot of businesses use ChanSpy (or its equivalent on commercial systems as most of them also have this ability) and have done for a long time, remember all those calls you made that told you your call might be monitored for quality or training purposes? That's exactly what they are doing. All it takes is for someone mucking about, or guess your using FreePBX, to find it active, to breach yours, your staffs, and your callers privacy.

Are you a manager? A Director or even CEO? Imagine your employees monitoring your personal calls, imagine complete strangers staying in Hotels and Motels, monitoring staff, management, and other guests private calls, it's quite shocking.

But - there is an edit to a configuration file that will secure it by adding in a requirement for a PIN, the downside is, it is a manual edit every time you need to change it (and you don't have to cough up to Sangoma' extortion by buying a commercial add-on module).

I suggest anyone responsible for a FreePBX or other asterisk server, logs in as the root user, and edit -

/etc/asterisk/extensions_override_freepbx.conf

inserting this one line, replacing somepassword with a PIN number

exten => 555,1,Authenticate(somepassword)

then restart the system by issuing

fwconsole restart

That's it, so damn simple, yet for years Sangoma ignore it, because as the update shows, they want to make money off you buying a commercial module to set it. and yes, I do have an open ticket for months, like I suspect others have over the years, that's just sitting there un-responded

You'd think in an era where the EU's GDPR is legally enforceable around the globe, Sangoma would get off their arse and fix it.

This is one of the serious problems you have when an open source project is bought and controlled, by a money hungry business who specialises in selling commercial modules for that open source project who care more about dollars then your security, or the projects good name and reputation.

I recommend that you apply my fix immediately, regardless of if you use ChanSpy or not, and if you have ChanSpy enabled - disable it! Then spend a few minutes letting Sangoma know (politely) what you think of their approach to this, on their community forums and by creating an account (if you don't already have one) and opening a bug ticket

FreePBX is a Registered Trademark of Sangoma Technologies through their purchase of Schmooze, who in turn bought the rights from the original author, Rob Thomas.
Asterisk is a Registered Trademark of Sangoma Technologies through their purchase of Mark Spencers, Digium. Both projects are Open Source and completely free.



Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

Laurie Maudson on :

I'm astounded Sangoma think so little of us, I have a good mind to revisit 3CX.

I'm thankful for you showing how to secure it, but I fear to many will not do so for they are not comfortable with using the terminal login.

How disgraceful Sangoma, you want me to give you 100 dollars so I can add a PIN, no Sangoma, not in my lifetime, and at 24, that's a long time.

Sangoma, do the community a favour, give FreePBX back to Rob Thomas, give Asterisk back to the community, if you don't I don't see your surviving, you most definitely will become irrelevant with your profits over care attitude.

mica on :

seen this on reddit, un fucking believable
fuck sangoma are cuXXs
they dun care about freepbx
they bought it to destroy the open source community side of it
stopping fixes making them available in commercial modules and denying their staff fixing it.

fuckem ima guna download 3cx
sangoma must want to destroy freepbx altogether
maybe rob thomas will fork it and make it great again like the dude who started centos who got fucked up the arse by redhat and now forked centos to rocky linux to make it great again.


*** This message was slightly edited by NoelB due to language.
Mica, I don't mind one expressing their opinion strongly, god knows I do it enough :-)
Although I detest censorship, there are certain words (C...) I can't allow through when approving posts, please mask it next time or risk your comment being deleted, thanks for hopefully understanding.

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Form options

Multiple DNSBL checks will be performed on submission of your comments.
Accepted comments will then be subject to moderation approval before displaying.