Skip to content

Secure FreePBX ChanSpy

By default, ChanSpy, a supervisor function that allows you to monitor
other peoples calls, is enabled and can be used by anyone, yes, anyone, who's phone is logged in to a FreePBX system that has this feature enabled.

Sangoma don't allow you to configure a password out of the box to secure it, instead, they want to sell you a commercial module (that in Australia is about $145) that apparently allows you to set one.

Sangoma don't care about your privacy breaches, nor the GDPR or other regions equivalent, after all, it's YOU that will be prosecuted, not them.

It amazes me Sangoma never protected it in the first place let alone wont take action to protect it when this gaping invasion of privacy was first brought to their attention - many years ago, going by their forums.

But fear not, if ChanSpy is enabled on your system and you can't disable it, there is a free and quick fix.

When I install FreePBX I disable ChanSpy, but I include the code below anyway because sometimes it may be required, I'm also not to know that if someone enables ChanSpy, that they'll remember to disable it. I've also come across FreePBX's that I have not installed where, as I mentioned, by default, it is active, because the installer didn't know better. This is actually why I am writing this blog post, to make people aware of a serious flaw that Sangoma know about but seem to not want to fix.

A lot of big businesses use ChanSpy or its equivalent on commercial systems as most of them also have this ability, and have done for a long time, remember all those calls you made that told you your call might be monitored for quality or training purposes? That's exactly what they are doing. All it takes is for someone mucking about to find it active, to breach yours, your staffs, and your callers privacy, are you a manager? CEO? Imagine your employees monitoring your personal calls.

But - there is an edit to a configuration file that will secure it, the downside is, it is a manual edit every time you need to change it.

I suggest anyone responsible for a FreePBX or other asterisk server, logs in as the root user, and edit -

/etc/asterisk/extensions_override_freepbx.conf

inserting this one line, replacing somepassword with a PIN number

exten => 555,1,Authenticate(somepassword)

then restart the system by issuing

fwconsole restart

That's it, so damn simple, yet for years Sangoma ignore it, probably because they can make more money off you buying a commercial module to set it, and yes, I do have an open ticket, like I suspect others have over the years, that's just sitting there un-responded.

You'd think in an era where the EU's GDPR is legally enforceable around the globe, Sangoma would get off their arse and fix it.

This I guess in one of the serious problems you have when an open source project is bought out and controlled by, a money hungry business who specialises in selling commercial modules for that open source project.

I recommend that if you discover your system needs this fixed, you fix it immediately, and then spend a few minutes letting Sangoma know (politely) this needs to be fixed urgently, by creating an account if you don't already have one, and opening a ticket


FreePBX and Asterisk although both Open Source, are Registered Trademarks of Sangoma Technologies

  • Twitter
  • Facebook
  • Google Bookmarks
  • Bookmark using any bookmark manager!
  • E-mail this story to a friend!

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Form options

Multiple DNSBL checks will be performed on submission of your comments.
Accepted comments will then be subject to moderation approval before displaying.