back to article IP Freely? Mr IP Freely? VoIP-for-suits firm battens down hatches after PBX data breach

Over the weekend FreePBX and PBXact users were warned of a security breach that spilled SIP credentials, potentially opening the door for fraudsters to make phone calls at the expense of small businesses that rely on the technology. Sangoma, the Canadian firm behind the tech, warned in an updated customer advisory that around …

  1. Christian Berger

    Well VoIP and decent programmers don't seem to mix well

    Virtually every VoIP product out there is either badly designed or badly implemented... or both.

    This is perhaps because many people looking into VoIP will encounter the standards, which are rather far away from how it's actually done, or concepts like NGN, which tries to solve a problem by exponentially increasing its complexity. VoIP just doesn't look like a fun field to anybody who just wants to solve problems. That's why the people left in the field seem to be Java Jockeys, who use SQL-databases without ever having heard of indexes or prepared statements... or people who slap together something that barely works (but is good enough for nifty demos) and open up a company to "support" it, instead of fixing the bugs.

    The pinnacle is VoIP software running on Windows. There you have people trying to solve a problem, who have never seen an actual decent solution to a problem.

  2. chivo243 Silver badge

    Brings back memories

    IP Freely, Hoo Phlung Poo ect

    1. Mystereed

      Re: Brings back memories

      Certainly does - changing other people's name card when on courses was always childish but a hoot anyway. Best one I saw given to someone was Isaac Hunt ;-)

  3. msknight

    " resulting in an illegal hacker getting access"

    Saw that, and spat my coffee.

  4. Anonymous Coward
    Anonymous Coward

    Soo... I was the one that reported this.

    Our MSP deals with a lot of SIP trunk providers. This kind of stuff happens more often than you would think, and we have seen it many times from many vendors. One of our lab (not production) accounts was hit. They were not in our system; they merely stole the SIP credentials from Sangoma's web site and placed some calls on our account before we noticed an unusual charge pattern and slammed the door shut on that.

    Obviously we were more than a little bit annoyed by this, along with the usual "brah, secure your stupid PBX" response (the PBXs we manage have never been hacked, ever. We're not geniuses; we just follow best practices).

    That being said... everything after that from Sangoma was flawless. If I were to write an article on the best way to handle an incident of this nature, I would base it on what Sangoma's management did.

    First thing: They did not sweep it under the rug. They informed *all* of their customers, which cost them a great deal of embarrassment (see: this article) but also made sure that their entire customer base was notified and able to check for any other intrusions that may have been missed. A stand-up move.

    Second thing: They refunded *everybody's* international call charges during that period. No quibbling, bickering, or fighting. We've seen our customers get hit with fraudulent bills in up to the five-figure range by other providers, when the provider knew the charges were fraudulent and not the customer's (or our) fault - strictly an internal hack on their end - and our customers were forced to pay anyway until it could be "sorted out," and then audit their own bills to prove the charges were fake. That's a worst-case real-life scenario, but that's closer to the standard than not.

    Third thing: We requested / suggested several product enhancements to help prevent / mitigate this in the future, and they agreed to implement most of them on a crash-priority basis.

    So yeah, it sucks that they got hacked, but this is far from a unique event in the industry. We were annoyed with them at first. But overall, this has been the most 100% stand-up, do-the-right-thing response I've ever seen from a SIP trunk provider. Freaking legendary good. Believe me when I say that going forward they are now our #1 small business provider and our #1 backup provider for larger business (volume pricing wins in these cases).

    1. jake Silver badge

      Re: Soo... I was the one that reported this.

      Your comment would carry a lot more weight if you weren't anonymous. As it is, you come off as a spin doctor for Sangoma ...

    2. usbac

      Re: Soo... I was the one that reported this.


      We do business with Sangoma, and have nothing but high praise.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like