There has been some recent madness in the open source communications world and I thought I had to get involved to get the matter settled properly. Some media outlets reported on the fact that the FBI put out a vague statement via the IC3 regarding how Asterisk may be susceptible to vishing attacks or caller ID spoofing via VoIP.

Before commenting I waited to hear back from Digium’s John Todd who explained that there were some methodology and editorial process issues in this alert – basically no one checked with Digium before going public. As it turns out, after checking with Digium, the FBI quickly revised their statement and everything is fine.

The details are that there was a bug which Digium found in March of 2008 and subsequently patched in version 1.2 and 1.4. Version 1.6 is not affected. Besides, according to Todd, the security issue would arise if system administrators basically disregarded logical security measures like using numerals in passwords.

For your reference you may want to check out the blog entry from Todd titled SIP Security and Asterisk as well as the updated IC3 warning from the FBI.

I am sure by the time Asterisk World rolls around in a few months in Miami, we will all be laughing about this incident and marveling at the opportunity that is open source communications.