Welcome To FreeSWITCH
The World's First Cross-Platform Scalable FREE Multi-Protocol Soft Switch
FreeSWITCH is a scalable open source cross-platform telephony platform designed to route and interconnect popular communication protocols using audio, video, text or any other form of media. It was created in 2006 to fill the void left by proprietary commercial solutions. FreeSWITCH also provides a stable telephony platform on which many telephony applications can be developed using a wide range of free tools.
FreeSWITCH was originally designed and implemented by Anthony Minessale with the help of Brian West and Michael Jerris. All 3 are former developers of the popular Asterisk open source PBX. The project was initiated to focus on several design goals including modularity, cross-platform support, scalability and stability. Today, many more developers and users contribute to the project on a daily basis.
We support various communication technologies such as Skype, SIP, H.323 and GoogleTalk making it easy to interface with other open source PBX systems such as sipXecs, Call Weaver, Bayonne, YATE or Asterisk.
FreeSWITCH supports many advanced SIP features such as presence/BLF/SLA as well as TCP TLS and sRTP. It also can be used as a transparent proxy with and without media in the path to act as a SBC (session border controller) and proxy T.38 and other end to end protocols.
FreeSWITCH supports both wide and narrow band codecs making it an ideal solution to bridge legacy devices to the future. The voice channels and the conference bridge module all can operate at 8, 12, 16, 24, 32 or 48 kilohertz and can bridge channels of different rates. The G.729 codec is also available under a commercial license.
FreeSWITCH builds natively and runs standalone on several operating systems including Windows, Max OS X, Linux, BSD and Solaris on both 32 and 64 bit platforms.
FreeSWITCH supports FAX, both over audio and T.38, and can gateway between the two.
Our developers are heavily involved in open source and have donated code and other resources to other telephony projects including openSER, sipXecs, The Asterisk Open Source PBX and Call Weaver.
a Spec Sheet is available on our Wiki.
The question of why FreeSWITCH uses so many embedded libraries comes up all the time. We first addressed this back in 2007, and wow has time flown and FreeSWITCH grown up!
Many users and new faces question this practice on a regular basis, so I thought it might be time to revisit the reasons why. I thought about writting a whole new article on this subject, but having gone back and re-read the original articles, I think its best to just link them here.
For the original post on FreeSWITCH.org see http://www.freeswitch.org/node/56 and for an indepth explanation see Roman Shaposhnik's write up from when he was Sun Studio Linux Architect, Engineering Manager at https://blogs.oracle.com/rvs/entry/what_does_dynamic_linking_and
[This story was delayed from 10/24 to give a vendor time to respond. As it turned out, that vendor decided to take no action.]
Cal Leeming (foxx on IRC) was kind enough to join our weekly conference call to raise awareness about the importance of secure provisioning.
Many providers put configuration files for IP phones on publicly-accessible servers. Often these files are neither encrypted nor protected by any form of authentication. All you need to access these files is the URL scheme used by the provider and the MAC address of the phone. As we'll see in a moment, this is in fact essentially required for zero-touch provisioning to work as it does today.
Let's say you want the contents of one of these files. How might you find the URL scheme used by a provider? Previously if you couldn't find it by guessing, you would probably need to get a phone from that provider and then either extract the firmware or watch the traffic with Wireshark. Having to do that for many providers, while not infeasible at all, does present something of a barrier.
Fortunately (for the bad guys), phone manufacturers have decided to adopt a technique (I hesitate to say 'technology') called zero-touch provisioning or RPS (Redirection and Provisioning Service). The idea behind RPS is that providers can remotely provision new phones they've never physically handled at all.
After a phone is sold to a service provider (perhaps via a wholesaler), the service provider makes an API call that tells the manufacturer they now own a particular phone, identified by MAC address, and to where requests for the phone's configuration should be redirected.
Now when a request is made to the manufacturer's publicly accessible server for the phone's configuration, their server redirects the request to a file on the provider's configuration server. If an attacker simply knows the MAC address of a phone, she can make a request to the manufacturer's RPS server, which will redirect to the provider's server, which -- more likely than not -- will hand over the plaintext file containing the phone's configuration.
With this configuration file, the bad guys can impersonate the user. That would be bad enough, as it would likely give them access to the user's voicemail or other privileged services.
More likely, however, the bad guys will be interested in committing toll fraud. They'll use the stolen account to pump a large volume of calls to high cost foreign rate centers where -- through complicated business mechanisms -- they'll be able to collect a portion of the toll charges paid by the victim and the other intermediating carriers. The dollar amounts involved in this kind of fraud can be shockingly high.
But we're getting ahead of ourselves. How will the bad guys find a valid MAC address for a phone?
As it turns out, this isn't difficult, and RPS makes this much easier. MAC addresses are 48 bits long, so there are 2^48 of them. The first 3 bytes (24 bits) of the address compose the Organizationally Unique Identifier (OUI). One or more of these are assigned to organizations like Yealink or Snom. This leaves 24-bits for the manufacturer to assign unique addresses to their equipment. In practice, for a particular model of phone, a manufacturer might assign addresses out of a space as small as 16 bits, and they are likely to assign these nearly sequentially. Therefore, if you know the MAC address of just one phone, and search the surrounding 2^16 addresses, you're likely to find many valid phone MAC addresses.
In Cal's testing, he found he could make at least 1000 requests per second against manufacturers' RPS servers. It's likely that determined bad guys with a cluster of systems could do better.
1000 requests per second is about 2^10. So we can search a 2^16 space in only 2^(16-10) = 2^6 = 64 seconds. And because of RPS, we don't have to repeat this search against N different service providers. We simply target our search against the manufacturer's RPS server and they'll tell us who the service provider is and where we can find the provisioning file.
This really is as bad as it sounds. What's perhaps worse, however, is how little surprise there was on our call. This is not a disclosure in the common sense of the word. Everyone familiar with these systems already knows about this problem -- though there was some debate on our call about whether there really may exist people dull enough to both understand the system design and miss this problem (I doubt it). The mission instead is to remind people that this flaw, though widely accepted, is a recipe for failure that should not be tolerated. As soon as attackers organize around exploiting this weakness, the damage to the industry could be massive.
Problematically, there is no way for service providers -- without assistance from phone manufacturers -- to completely address this weakness without forfeiting the benefits of zero-touch provisioning. Providers can configure their provisioning servers to require a valid username and password, and then assign unique credentials to each phone. When the phone supports HTTPS provisioning, this would be reasonably secure as long as you could securely deliver the credentials.
(Some phone firmwares allow the service provider to encrypt the configuration file using a key the server shares with each phone. This is isomorphic, for the purposes of our discussion.)
But delivering the credentials securely is exactly the problem with zero-touch provisioning in its current form. The first time the phone connects to your servers (via an RPS redirect), it won't have any credentials. You'll have to decide whether to issue the phone the credentials it will use in the future. If you do so, you'll also need to never issue this phone credentials in plaintext again (otherwise you won't have improved security at all). But you have no way of knowing whether what's connecting to your servers is the phone you sold, or an attacker impersonating it. How can you decide whether to give it the credentials? If you make the wrong choice, you'll open yourself up to toll fraud, and you'll lock out the actual phone.
The obvious solution to this issue is for the manufacturer to include a unique private key with each phone (ideally via a TPM) such that the phone could securely authenticate itself to servers. Doing only this, however, would complicate the sale of phones through distribution as the public components of the keys would need to be distributed and managed.
A more sane solution would be to sign each phone's public certificate (which should contain the phone's MAC address) with the manufacture's private key. The phone could then provide its signed public component when authenticating to the service provider, and the provider could check the MAC address in the certificate and check the signature against the manufacturer's public key component. As long as the manufacturer securely created and managed their certificate authority, this would work fine.
There are other solutions that are somewhat less elegant, such as dispensing with "zero-touch" and forcing the entry of a PIN-like code on each phone.
It will be interesting to see how manufacturers respond to the increased attention being focused on this issue. Will they take down their RPS servers? Will they move to more secure provisioning models? Or will attackers need to inflict large financial damage to their customers before the manufacturers respond? Time will tell.
Cal Leeming (foxx on IRC) was kind enough to join our weekly conference call yesterday to discuss a very interesting issue that apparently has at least one phone manufacturer in a bit of a panic. We're withholding details for now to give that manufacturer time to react. Expect a more detailed story here in a couple of days.
The FreeSWITCH Team is proud to announce the release of FreeSWITCH 1.2.14!
Available today via git, http://files.freeswitch.org/freeswitch-1.2.14.tar.bz2, and the deb and yum repos.
This is a maintenance release to address several bugs that have been identified since the last release.
Also dont forget ClueCon Weekly Conference Call! Every Wed at 1PM EST! For more information on how to join see: http://wiki.freeswitch.org/wiki/Weekly_Conference_Call_Calling_Instructions
Bluebox-ng is an open-source VoIP/UC vulnerability scanner. It has been written in CoffeeScript using Node.js powers.
- RFC compliant
- TLS and IPv6 support
- SIP over websockets (and WSS) support (draft-ietf-sipcore-sip-websocket-08)
- SHODAN, exploitsearch.net and Google Dorks
- SIP common security tools (scan, extension/password bruteforce, etc.)
- REGISTER, OPTIONS, INVITE, MESSAGE, SUBSCRIBE, PUBLISH, OK, ACK, CANCEL, BYE and Ringing requests support
- Authentication through different types of requests
- SIP denial of service (DoS) testing
- SRV and NAPTR discovery
- Dumb fuzzing
- Common VoIP servers web management panels discovery
- Automatic exploit searching (Exploit DB, PacketStorm, Metasploit)
- Automatic vulnerability searching (CVE, OSVDB, NVD)
- Colored output
- Command completion
- It runs in GNU/Linux, Mac OS X and Windows
So this is yet another tool in the toolbox you can use to help test the security of your UC/VoIP installations.
As some of you may have heard by now, our very own Brian K West
(a.k.a. bkw_) is going to be marrying the love of his life, Gregory A
The ceremony will be held on October 7th in NYC. Please join with us all in congratulating him and his spouse to be.
For those of you who would like to help out with the costs of the
planning and ceremony, or would just like to send them a gift, his
paypal address is email@example.com. No gift is too small (or too large
If you're in, or around, NYC on the 6th or 7th, we'd entertain the idea
of having a FreeSWITCH Users' dinner somewhere in the area on one of
those two nights if there's enough interest. Feel free to email me
privately (at firstname.lastname@example.org) if you'll be in the area
and interested in congratulating them, in person, over dinner.
This handy tip just came by my desk. It's geared toward Asterisk, however the principles apply to FreeSWITCH - or any other software that employs the use of audio files. This blog post is useful to anyone wanting to learn more about these handy tools.
Welcome to the last week of July!
The big news from last week was announced on the weekly conference call: FreeSWITCH 1.2.12 was officially released. This is now the recommended production release of FreeSWITCH. We also had a simple FreeSWITCH programming how-to on using channel variables with examples from mod_valet_parking and mod_voicemail.
On this week's conference call we are glad to have with us long-time FreeSWITCH community member and code contributor Chris Rienzo. Chris has lots of experience with handling media for various applications, such as you'd use with mod_unimrcp. This week Chris will be discussing the theme "mod_spandsp - it's not just for faxing!" Mod_spandsp makes use of the powerful SpanDSP library and Chris will show us some of the interesting things that this makes available for FreeSWITCH users.
For those of you coming to ClueCon 2013: we'll see you next week! We are really looking forward to seeing everyone again. If you haven't registered for ClueCon or booked your room yet then we highly recommend that you do so right away. We hope to see you all at the can't-miss event of the season!
Talk to you next week - from Chicago!
We are pleased to announce that FreeSWITCH version 1.2.12 has been released! Ken's mailing list post details some of the changes and contains any follow up conversations regarding this release.
What's new in this release? Lots and lots of bug fixes. 1.2.12 is now the recommended FreeSWITCH version for production environments. As usual, test it with your configuration prior to migrating a production server.
As of this writing the CDN has been purged so you can download the latest source tarballs and RPMs. Naturally the git repo is tagged already. The DEB files are coming soon.
Thanks for all your help in making FreeSWITCH get better and better.