Monday, April 12, 2010

ooma to start charging monthly fees

According to ooma's website, it appears that they are going to start charging monthly fees:

I guess there's no more free lunch.

Thursday, April 2, 2009

ooma and GPL

According to FierceVoIP:

The current ooma device has a 450 Mhz ARM processor onboard running Linux [and] a derivative version of Asterisk...

ooma has released their modifications to Linux, per the GPL:

I wonder if ooma has purchased a commercial license for Asterisk? If not, I believe they must release the source code mods they've made to Asterisk as well.

Tuesday, March 31, 2009

Ooma ends P2P (Distributed Termination)


Just a FYI -- ooma is not routing calls over other user's landlines (e.g. Distributed Termination). Any mention of this was removed from the user T&C's and the ooma website from the website a few months ago. The original intent of this "people-powered" network was to save costs with calling. Unfortunately it lent itself to be a poor user experience due to the fact we needed to block the outgoing caller-ID (e.g. a call going over another user's landline would show as "unknown" as the caller-ID instead of the caller's true name). Also, our business plan went through a couple revisions last year (starting with separating out enhanced features -- ooma Premier -- from the core service features and further recognizing calling economies of scale). As a result, we are able to continue to offer free phone service as a sustainable and scalable business.

They say they can still make the business work without it, claiming their termination costs are .5 of a penny or less ($0.005) and average usage is 350 minutes per month, which comes out to $21 per year. Although they also have to pay for a DID (phone number) and there are support and G&A costs too - and of course there's marketing too. And how much gross profit is there on the box when selling at retail $200 (Amazon)?

Monday, December 10, 2007

Former NSA Agent comments on ooma security

Ira Winkler, Former National Security Agency analyst and author of Spies Among Us says:

See, Ooma is actually less secure than a traditional landline. By using Ooma, your call would be going out over the landline of a complete stranger, making it theoretically subject to eavesdropping. I can see those with criminal intent agreeing to be an Ooma subscriber, so they can eavesdrop on calls being routed through their Ooma box. They could listen in on people giving out their personal account information, credit card numbers, and other sensitive details.
He cites a podcast interview from back in July where ooma CEO Andrew Frame proudly states that he thinks his system cannot be broken, and challenges hackers to "Bring it on!" (the quote is about 15 minutes into the the video). Winkler says:
It has been my personal opinion that the only people who promise perfect security are fools or liars. Frame can decide which one he is.
Personally, I don't think anyone cares, other than security geeks. Even if you told people their calls can be recorded, they would probably still use the system to get "free" calls. Another key point is:
If Ooma turns out to be a success, they will definitely attract the attention of the "hackers" that Frame challenges.
Indeed. If TiVo or iPhone never got popular, nobody would have hacked them. Until ooma is widely deployed, there won't be many hacks. But when we find them, you can be sure we will report them here first.

Saturday, November 3, 2007

Becoming an altruistic peer

In the last post we present one case of an altruistic individual expanding the ooma P2P model to our friends and neighbors outside the US and anyone with SIP capability.

This post provides instructions for others to continue in those footsteps to also become an altruistic peer.

Refer to this diagram:

This shows the setup for an altruistic peer, enabling access to US PSTN numbers for SIP users, in the manner as here.

  1. Purchase PhoneGnome box. Use this link to get it for $79.99 with the necessary "PowerSuite" service included free (instead of $124.98 normal price). Or get a used one on Ebay. Or convert an old SPA-3000 free here

  2. Connect the LINE port of the PhoneGnome box directly to any phone service you want (i.e. follow the standard setup of the device) and let it complete its one-time self-config to that number/line.

  3. Now connect the LINE port of PhoneGnome box to the Phone port of the ooma hub as shown in the above diagram.

  4. Sign in to My PhoneGnome and go to Features / MobileGnome / Edit. Under PIN Authentication choose "NOT Required". DO NOT click 'Enabled'. Just click 'Save'.

  5. To avoid risk of International calls, click 'Activate' for the Intl Call Blocking feature on the Features page.

  6. Set up a SIPbroker account here with sip address where number is the PhoneGnome account phone number from step 2 above (with 1 in front)

  7. Setup a SIPBroker alias

  8. Publish your SIPbroker alias as a comment to this post or elsewhere so people know how to access it.

People can now call the SIPbroker alias from SIP and they will get a dial tone and can then place a call via the ooma hub to a US number dialing 1-areacode-number. People can also dial one of the SIPbroker PSTN numbers to do the same thing by dialing your alias and then getting a second dial tone and dialing the destination number.

This setup has little cost to the altruistic peer beyond the initial hardware since the ooma service is still available at the ooma scout via the "Instant Second Line" and nor does it add cost to other ooma users or the ooma network since users already pay for unlimited local calling for DT (distributed termination).

Obviously this same thing can also be done using Asterisk with an FXO card or other means. We show a solution using the PhoneGnome device because (1) it requires no special VoIP expertise and (2) it doesn't require the sharing node (altruistic peer) to run and manage a server 24x7. And in general the $80 box is cheaper than a PC plus FXO card anyway.

Hopefully by some of us US users providing free calls to our neighbors outside the US in this way, we will find some people outside the US will reciprocate and make their local phone service available in a similar manner for local calls to countries outside the US (say India for instance). They can do so using PhoneGnome similar to as shown above (since that box works outside the US) or using any means they prefer.

Thanks to reader baloneypony for the diagram and step-by-step instructions.

Friday, November 2, 2007

Easter Egg

From a reader:


Should receive dial tone. Dial a US number as 1-areacode-number

Also reachable from outside the US at these numbers where once connected, dial *0111195258 to get second dial tone. Then dial 1-areacode-number

If abused will be taken down.

Perhaps others will follow suit and do something similar in the name of service to our global neighbors.

Wednesday, October 10, 2007

Ooma pranks, or "how to Punk Ashton Kutcher"

If we assume that ooma's "creative director" eats the company dog food and uses ooma, then a call made by the former TV star may eventually be directed through our ooma hub, as a result of the company's patent-pending "distributed termination." This feature can be exploited by attackers to perform various attacks, including:

  • Redirecting phone calls placed by the user to different phone numbers of the attacker’s choosing

  • Tracking phone calls placed by the user

  • Preventing the phone from dialing

Plug the output of the Ooma hub that is supposed to connect to your landline into an ATA registered to your Asterisk server.

Assume that this ATA registers as "oomahub" to your server and inbound calls arrive at the context "ooma-in". In extensions.conf we may find something like this:

exten => _XXXXXXX.,1,Goto(ooma-prank,s,1)

exten => s,1,SetVar(X=$[${EPOCH} % 10])
exten => s,2,Goto(ooma-prank,prank-${X},1)

; The call will be directed to prank-0 thru prank-9

; prank 0 - send Ashton to a phone sex line
exten => prank-0,1,Answer
exten => prank-0,2,Dial(SIP/
exten => prank-0,3,Hangup

; prank 1 - play audio clip from Ashton's classic "My Boss's Daughter"
exten => prank-1,1,Answer
exten => prank-1,2,MP3Player(music/MyBossDaughter.mp3)
exten => prank-1,3,Hangup

; ... other pranks here

Of course you know that this information is provided purely for entertainment purposes and nobody should actually do this, right?

However, it does point out some of the risks associated with using ooma's service.