Feeds

'How I CRASHED my bank, stole PINs with a touch-tone phone'

Security bod's boast harks back to 1980s phreaking era

5 things you didn’t know about cloud backup

Miscreants can crash or infiltrate banks and help desks' touch-tone and voice-controlled phone systems with a single call, a security researcher warns.

Rahul Sasi, who works for iSight Partners, said audio processing algorithms in office telephone networks and speech-driven command software are liable to crash when bombarded with unusual data in so-called fuzzing attacks.

Certain DTMF (Dual-Tone Multi-Frequency) signals can cause these private branch exchanges (PBX) and interactive voice response (IVR) systems to raise exceptions and bail out, much in the same way that unexpected input data can knacker applications running on a desktop computer or server.

PBX and IVR machines are often used to run phone banking, call centres and other interactive telephone systems. Given the appropriate DTMF input, it may be possible to crash backend application servers or convince them to cough up sensitive information. Repeating the trick to bring down a machine effectively launches a denial-of-service attack on the phone line as a paper [PDF] by Sasi on the topic explained:

If an attacker could trigger an exception in DTMF-processing algorithms, then they could crash the entire application server by making a single phone call, causing the entire phone banking to become inaccessible, or no calls from the customer goes through. One such denial of service could cause a lot of panic and the amount of damage would be pretty huge. We will be demonstrating a lot of amusing remote DTMF attacks on phone banking, tele-voting, and customer support applications using DTMF.

Sasi (@fb1h2s) delivered his findings at the Hack in the Box conference in Kuala Lumpur, Malaysia. He is due to repeat his research at the Nullcon Delhi conference later this month and at Ruxcon in Melbourne, Australia, in October.

The paper, How I DOS’ed My Bank, reckons the attack technique can be refined to lift data from targeted systems: "We would be able to extract sensitive information about the application’s hosted environment with these sorts of bugs. Since applications that use DTMF algorithms are mainly phone-based, it was possible to extract output in the form of audio data."

It sounds completely infeasible, yet Sasi claimed it was possible to extract customer PINs from an unnamed Indian bank, SC Magazine reports. Systems spew out error messages in response to invalid inputs that leak potentially useful information to attackers, as illustrated in a video posted on Vimeo.

Sasi said banks and call centres need to wake up to the issue, and realise that voice-based systems are far from invulnerable to attack.

"No banks or organisations are testing IVRs because they think the systems are secure, but in reality they are not," he said according to SC Magazine. "No firewall or CAPTCHAs monitor voice traffic."

The content of attacks is restricted to characters available within DTMF signalling: 16 characters limited to the digits 0-9, #, *, a, b, c, and d. Susi is developing a fuzzing program that combines different DTMF input algorithms at variable frequencies. ®

The essential guide to IT transformation

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?