Feeds

'How I CRASHED my bank, stole PINs with a touch-tone phone'

Security bod's boast harks back to 1980s phreaking era

Remote control for virtualized desktops

Miscreants can crash or infiltrate banks and help desks' touch-tone and voice-controlled phone systems with a single call, a security researcher warns.

Rahul Sasi, who works for iSight Partners, said audio processing algorithms in office telephone networks and speech-driven command software are liable to crash when bombarded with unusual data in so-called fuzzing attacks.

Certain DTMF (Dual-Tone Multi-Frequency) signals can cause these private branch exchanges (PBX) and interactive voice response (IVR) systems to raise exceptions and bail out, much in the same way that unexpected input data can knacker applications running on a desktop computer or server.

PBX and IVR machines are often used to run phone banking, call centres and other interactive telephone systems. Given the appropriate DTMF input, it may be possible to crash backend application servers or convince them to cough up sensitive information. Repeating the trick to bring down a machine effectively launches a denial-of-service attack on the phone line as a paper [PDF] by Sasi on the topic explained:

If an attacker could trigger an exception in DTMF-processing algorithms, then they could crash the entire application server by making a single phone call, causing the entire phone banking to become inaccessible, or no calls from the customer goes through. One such denial of service could cause a lot of panic and the amount of damage would be pretty huge. We will be demonstrating a lot of amusing remote DTMF attacks on phone banking, tele-voting, and customer support applications using DTMF.

Sasi (@fb1h2s) delivered his findings at the Hack in the Box conference in Kuala Lumpur, Malaysia. He is due to repeat his research at the Nullcon Delhi conference later this month and at Ruxcon in Melbourne, Australia, in October.

The paper, How I DOS’ed My Bank, reckons the attack technique can be refined to lift data from targeted systems: "We would be able to extract sensitive information about the application’s hosted environment with these sorts of bugs. Since applications that use DTMF algorithms are mainly phone-based, it was possible to extract output in the form of audio data."

It sounds completely infeasible, yet Sasi claimed it was possible to extract customer PINs from an unnamed Indian bank, SC Magazine reports. Systems spew out error messages in response to invalid inputs that leak potentially useful information to attackers, as illustrated in a video posted on Vimeo.

Sasi said banks and call centres need to wake up to the issue, and realise that voice-based systems are far from invulnerable to attack.

"No banks or organisations are testing IVRs because they think the systems are secure, but in reality they are not," he said according to SC Magazine. "No firewall or CAPTCHAs monitor voice traffic."

The content of attacks is restricted to characters available within DTMF signalling: 16 characters limited to the digits 0-9, #, *, a, b, c, and d. Susi is developing a fuzzing program that combines different DTMF input algorithms at variable frequencies. ®

Intelligent flash storage arrays

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.