The world was still listening to Smashmouth and contemplating the underlying meaning behind The Matrix when the founder of Digium.com, released his free, open source IP PBX software in 1999.
He created an entirely new segment in the open source software market… Not only did companies using Asterisk collectively save millions of dollars when installing the open software, they found it could be hosted or installed on-site, as a call distributor, a VoIP gateway, a conference bridge and much more. It became the Swiss army knife of IP-based telephony overnight.
But then, in January 2009, one small business Asterisk customer was slapped with a gigantic and unexpected phone bill. His system had been hacked…
Australian newspaper Adelaide Now reported: “A small business has been landed with a $120,000 phone bill after criminals hacked into its internet phone system and used it to make 11,000 international calls in just 46 hours.” But the Australian business owner wasn’t the only victim. Three companies in the U.S. using IP PBX systems (two from Asterisk) suffered similar fates around the same time.
Adding insult to injury, a slew of neckbeards eventually went online and posted soundless YouTube videos that exuberantly demonstrated, keystroke by keystroke, how to break into the PBX and make free calls.
So what happened?
As an Asterisk reseller said following an attack on one of his customers, “We were so focused on the telephony side [when we installed Asterisk] that we completely overlooked…the IT side, the security side.” It was obvious in hindsight. Their failure to secure the server ensured their demise.
Since then, Asterisk has solidified enormously. It’s now backed up by thousands of skilled IT experts in an open source community who take security very seriously. As of today, there are more than a million Asterisk-based systems in use across more than 170 countries.
The upside of Asterisk
In a nutshell, Internet Protocol Private Brand Exchange allows you as your own personal phone company. You can set up branch menus, dial “9” for an outside line, assign 3 digit extensions for every team member at the office and much more.
We’ve all used PBX and are familiar with the functionality it provides, but most people think of it as something too complex or expensive to implement on our own. Thanks to Asterisk, that’s not the case.
Asterisk offers the same functionality of a hardware PBX, for free… Below is a feature list from Asterisk.org (click on the image to visit the page)
Laying the groundwork
There are a lot of ways to set up Asterisk. The easiest and most efficient is by installing one of the pre compiled distributions. Of those, we recommend Asterisk Now because, while it’s not as flexible as home brew installations, it allows relatively inexperienced users to change the plumbing and create customization. It needs to be stressed that that you will be forced to operate in a predefined framework though.
If you’re feeling a little more adventurous, you can always create your own from the source. When you go this route, you get a lot more control over the functionality and it’s actually not as hard as you might think (assuming you know basic command line).
When you install Asterisk from the source, it enables you the freedom of choosing your own Linux OS (we recommend Ubuntu) and then tweaking the installation for your environment and hardware to maximize performance.
Find full instructions on installing Asterisk from source here.
If you’re planning an Asterisk installation and need advice on securing the system, Ward Mundy has collected the most critical steps for locking down your installation. You’ll find further advice in the forums and wiki at the Asterisk.org website.
So while using Asterisk to commit phone fraud is no longer an issue, hackers (some of whom may be your employees, suppliers or business partners) often find ways to defraud using the system. Click here to download a Phone Bill Fraud Prevention Checklist from the Telecom Association.