Feeds

'How I CRASHED my bank, stole PINs with a touch-tone phone'

Security bod's boast harks back to 1980s phreaking era

Protecting against web application threats using SSL

Miscreants can crash or infiltrate banks and help desks' touch-tone and voice-controlled phone systems with a single call, a security researcher warns.

Rahul Sasi, who works for iSight Partners, said audio processing algorithms in office telephone networks and speech-driven command software are liable to crash when bombarded with unusual data in so-called fuzzing attacks.

Certain DTMF (Dual-Tone Multi-Frequency) signals can cause these private branch exchanges (PBX) and interactive voice response (IVR) systems to raise exceptions and bail out, much in the same way that unexpected input data can knacker applications running on a desktop computer or server.

PBX and IVR machines are often used to run phone banking, call centres and other interactive telephone systems. Given the appropriate DTMF input, it may be possible to crash backend application servers or convince them to cough up sensitive information. Repeating the trick to bring down a machine effectively launches a denial-of-service attack on the phone line as a paper [PDF] by Sasi on the topic explained:

If an attacker could trigger an exception in DTMF-processing algorithms, then they could crash the entire application server by making a single phone call, causing the entire phone banking to become inaccessible, or no calls from the customer goes through. One such denial of service could cause a lot of panic and the amount of damage would be pretty huge. We will be demonstrating a lot of amusing remote DTMF attacks on phone banking, tele-voting, and customer support applications using DTMF.

Sasi (@fb1h2s) delivered his findings at the Hack in the Box conference in Kuala Lumpur, Malaysia. He is due to repeat his research at the Nullcon Delhi conference later this month and at Ruxcon in Melbourne, Australia, in October.

The paper, How I DOS’ed My Bank, reckons the attack technique can be refined to lift data from targeted systems: "We would be able to extract sensitive information about the application’s hosted environment with these sorts of bugs. Since applications that use DTMF algorithms are mainly phone-based, it was possible to extract output in the form of audio data."

It sounds completely infeasible, yet Sasi claimed it was possible to extract customer PINs from an unnamed Indian bank, SC Magazine reports. Systems spew out error messages in response to invalid inputs that leak potentially useful information to attackers, as illustrated in a video posted on Vimeo.

Sasi said banks and call centres need to wake up to the issue, and realise that voice-based systems are far from invulnerable to attack.

"No banks or organisations are testing IVRs because they think the systems are secure, but in reality they are not," he said according to SC Magazine. "No firewall or CAPTCHAs monitor voice traffic."

The content of attacks is restricted to characters available within DTMF signalling: 16 characters limited to the digits 0-9, #, *, a, b, c, and d. Susi is developing a fuzzing program that combines different DTMF input algorithms at variable frequencies. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.