Feeds

'How I CRASHED my bank, stole PINs with a touch-tone phone'

Security bod's boast harks back to 1980s phreaking era

Using blade systems to cut costs and sharpen efficiencies

Miscreants can crash or infiltrate banks and help desks' touch-tone and voice-controlled phone systems with a single call, a security researcher warns.

Rahul Sasi, who works for iSight Partners, said audio processing algorithms in office telephone networks and speech-driven command software are liable to crash when bombarded with unusual data in so-called fuzzing attacks.

Certain DTMF (Dual-Tone Multi-Frequency) signals can cause these private branch exchanges (PBX) and interactive voice response (IVR) systems to raise exceptions and bail out, much in the same way that unexpected input data can knacker applications running on a desktop computer or server.

PBX and IVR machines are often used to run phone banking, call centres and other interactive telephone systems. Given the appropriate DTMF input, it may be possible to crash backend application servers or convince them to cough up sensitive information. Repeating the trick to bring down a machine effectively launches a denial-of-service attack on the phone line as a paper [PDF] by Sasi on the topic explained:

If an attacker could trigger an exception in DTMF-processing algorithms, then they could crash the entire application server by making a single phone call, causing the entire phone banking to become inaccessible, or no calls from the customer goes through. One such denial of service could cause a lot of panic and the amount of damage would be pretty huge. We will be demonstrating a lot of amusing remote DTMF attacks on phone banking, tele-voting, and customer support applications using DTMF.

Sasi (@fb1h2s) delivered his findings at the Hack in the Box conference in Kuala Lumpur, Malaysia. He is due to repeat his research at the Nullcon Delhi conference later this month and at Ruxcon in Melbourne, Australia, in October.

The paper, How I DOS’ed My Bank, reckons the attack technique can be refined to lift data from targeted systems: "We would be able to extract sensitive information about the application’s hosted environment with these sorts of bugs. Since applications that use DTMF algorithms are mainly phone-based, it was possible to extract output in the form of audio data."

It sounds completely infeasible, yet Sasi claimed it was possible to extract customer PINs from an unnamed Indian bank, SC Magazine reports. Systems spew out error messages in response to invalid inputs that leak potentially useful information to attackers, as illustrated in a video posted on Vimeo.

Sasi said banks and call centres need to wake up to the issue, and realise that voice-based systems are far from invulnerable to attack.

"No banks or organisations are testing IVRs because they think the systems are secure, but in reality they are not," he said according to SC Magazine. "No firewall or CAPTCHAs monitor voice traffic."

The content of attacks is restricted to characters available within DTMF signalling: 16 characters limited to the digits 0-9, #, *, a, b, c, and d. Susi is developing a fuzzing program that combines different DTMF input algorithms at variable frequencies. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.