During my experience with Trixbox I've discovered several insecurities along the so called VoIP PBX service installers. Service providers that like to call themselves " Telephony Service Providers".
We all know what Trixbox stands for, and it's Operating System that is running on. CentOS is a free Linux Flavor based on the Red Hat environment.
First is First, after installing Trixbox, if you take the manual it even tells you the change the default passwords. What an Who are the default passwords ? Default passwords are defined already by the Fonality team. Who are those passwords ? mysql default passwd, maint default passwd, fop default password, asterisk default password.
1)Trixbox main web Interface, access is wide open, meaning that anyone who knows your PBX IP address or sub domain, can access it. Here is the main huge insecurity that so called VoIP installers have no idea about . It is just amazing how inexperienced and so unreal about how to secure a PBX and secure should it be
When you click on FOP (Flash Operation Panel), it will show main SIP trunk(phone number), and extensions. Why is this unsecure ? Very simple, the FOP will show all extensions configured using the FreePBX interface. In my case, I am looking at a PBX, with over 28 extensions, 14 extensions are unused, 1 extension is used for conference, and the remaining for DEMO purposes. It looks like this guys are selling Trixbox PBXs, with a small change, the web interface has a different look but still way too close to Trixbox web. Demo extensions are probably used when on future customer sites to show the power of their systems.
BTW, I guess they haven't got a clue about Linux , and how to use it, because Apache has a very nice tool that can restrict access to a web page based on the MD5 cryptography .
I am looking at those unused extension and thought about it for a while, on how anybody who knows the IP address of this PBX can make free calls, and more. listen to their conversation simple by pressing "555" (chanspy). How is this possible ? Very easy ? Using a soft phone, configure it to connect to their PBX, use the unused extension, with password...... lets see. Most used passwords are actually most used PINs: 0000, 1111, 2222, 3333, 4444, 1234, and the list can go . Once human brain got used to use only 4 PINs for their debit cards, credit cards, Voicemail PINs, they will most likely use the same numbers as well.
One more thing I would like to add, is that most of PBX installers I have seen using Trixbox, and not clean Asterisk by default they will set every extension using one of the previous passwords. Hurry is the problem ! Inexperienced employees is the biggest, Untrained associates is the hugest, and the list can go on .
I am not going to provide any IPs, for security reasons, but I personally built a list of over 34 PBXs where I can connect, make calls using those assigned block of phone numbers, and worst listen to conversations.... that's correct . I am talking about live unsecured phone conversations. A small secret. In my list , 1 is a "leaders" Office. I can not go into details, I did not hacked their PBX, or made phone calls, or used their PBX in any way. Their IP was in my way and I had to take a look at it . I am talking about the "leaders" Office:)). Nice... right:) It was probably a volunteer hired at the IT department, that has no clue about Linux, Security, etc.
I'm sure you ask yourself on how I put my hands on such a skinny list. Remember Asterisk's OS. That's the only tip I can provide :). My search will continue when I have more time and add as many insecure PBXs to my list as possible.
2) FreePBX web interface has the default user: maint with password " password"
3) You can connect to MySQL server in 2 seconds. mysql default passwords is "passw0rd". Again I will stay away from providing more details, but please be aware what's MySQL server role in this PBX :)
4) Users can be driven crazy just by a few mouse clicks with FOP, Default password is again : passw0rd .
That's about it, for today. Visit my blog, and I promise more tips and tricks :)