Feeds

'How I CRASHED my bank, stole PINs with a touch-tone phone'

Security bod's boast harks back to 1980s phreaking era

Combat fraud and increase customer satisfaction

Miscreants can crash or infiltrate banks and help desks' touch-tone and voice-controlled phone systems with a single call, a security researcher warns.

Rahul Sasi, who works for iSight Partners, said audio processing algorithms in office telephone networks and speech-driven command software are liable to crash when bombarded with unusual data in so-called fuzzing attacks.

Certain DTMF (Dual-Tone Multi-Frequency) signals can cause these private branch exchanges (PBX) and interactive voice response (IVR) systems to raise exceptions and bail out, much in the same way that unexpected input data can knacker applications running on a desktop computer or server.

PBX and IVR machines are often used to run phone banking, call centres and other interactive telephone systems. Given the appropriate DTMF input, it may be possible to crash backend application servers or convince them to cough up sensitive information. Repeating the trick to bring down a machine effectively launches a denial-of-service attack on the phone line as a paper [PDF] by Sasi on the topic explained:

If an attacker could trigger an exception in DTMF-processing algorithms, then they could crash the entire application server by making a single phone call, causing the entire phone banking to become inaccessible, or no calls from the customer goes through. One such denial of service could cause a lot of panic and the amount of damage would be pretty huge. We will be demonstrating a lot of amusing remote DTMF attacks on phone banking, tele-voting, and customer support applications using DTMF.

Sasi (@fb1h2s) delivered his findings at the Hack in the Box conference in Kuala Lumpur, Malaysia. He is due to repeat his research at the Nullcon Delhi conference later this month and at Ruxcon in Melbourne, Australia, in October.

The paper, How I DOS’ed My Bank, reckons the attack technique can be refined to lift data from targeted systems: "We would be able to extract sensitive information about the application’s hosted environment with these sorts of bugs. Since applications that use DTMF algorithms are mainly phone-based, it was possible to extract output in the form of audio data."

It sounds completely infeasible, yet Sasi claimed it was possible to extract customer PINs from an unnamed Indian bank, SC Magazine reports. Systems spew out error messages in response to invalid inputs that leak potentially useful information to attackers, as illustrated in a video posted on Vimeo.

Sasi said banks and call centres need to wake up to the issue, and realise that voice-based systems are far from invulnerable to attack.

"No banks or organisations are testing IVRs because they think the systems are secure, but in reality they are not," he said according to SC Magazine. "No firewall or CAPTCHAs monitor voice traffic."

The content of attacks is restricted to characters available within DTMF signalling: 16 characters limited to the digits 0-9, #, *, a, b, c, and d. Susi is developing a fuzzing program that combines different DTMF input algorithms at variable frequencies. ®

SANS - Survey on application security programs

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.