Last week I wrote Grandstream UCM6100 PBX - Yet Another Aastra & snom Disaster? I was looking at it from a partner and reseller perspective. But I was talking with FreePBX's Tony Lewis and he mentioned he discovered the version of Asterisk running on the UCM6100 was 25 versions old, over a year old and with several security flaws fixed since then.
Ward Mundy over at Nerd Vittles also discovered some major security flaws, including a major one in the IVR that could enable a hacker to springboard out from the IVR to the PSTN via the UCM6100's FXO ports. Putting aside the old version of Asterisk and security flaws, the UCM6100 is impressive in several respects. Perhaps the most impressive is that you can get a 2 port FXO / 2 port FXS for $264! Tony Lewis and I were discussing this and he said if you add up all the standard components in the hardware it's roughly the price they're selling it for - so neither of us could figure out how Grandstream is making any money on the UCM6100. I theorized perhaps Grandstream wants the UCM6100 to be a "loss leader", help create some buzz and market share in the PBX space and then slowly raise the prices in a year or two.
With the older version of Asterisk on the UCM6100 and the security flaws discovered by Tony and Ward, I go back to my original statement in my original post - "can't Grandstream just add their 'special' Grandstream features to the FreePBX GPL? Then if Grandstream feels that the FreePBX user interface is a bit too complex and want to hide certain features, they can do what Elastix did and put their own front-end on top of FreePBX. Elastix then offers the option to go “unembedded”, which gives you FULL access to all of FreePBX's user interface and features... Years of FreePBX development with powerful module add-ons, plus Grandstream's intellectual knowledge and features."
Lastly, let me mention that the Grandstream UCM6100 user interface appears to be based on Asterisk GUI / AsteriskNow. I'm told Grandstream does not have a commercial license from Digium to distribute a derived work of the Asterisk GUI outside of the GPLv2 but that Grandstream plans on rectifying this.
Tags: asterisk, asterisknow, freepbx, gpl, grandstream, nerd vittles, open source, pbx, security, tony lewis, voip, ward mundy
Related tags: security flaws, version asterisk, grandstream, freepbx, security, asterisk

Copyright VoIP & Gadgets Blog