On his excellent VoIP/UC Security Blog, Mark Collier points to some interesting work on Interactive Voice Response (IVR) security threats by Rahul Sasi. IVR systems are used in phone banking, call centers, hospitals, and corporations mainly for information retrieval and account management via phone lines. As a security researcher for iSIGHT Partners, Sasi is doing research on a variety of security vulnerabilities that may be present in IVRs.
The author says that IVR security threats are present in IVR systems used for financial transactions. Sasi presented some of his findings at Hack In The Box Malaysia 2011 and the video is available here. Collier summarizes the IVR security threats in his blog:
Information harvesting – for account numbers and PINs, guessing a static 4-digit PIN for a range of account numbers. The odds of a hit are pretty good. Some IVRs lock the account but reset at midnight.- Injection – through the input of spoken words (“test”, “.”, “com”, etc.), supporting VXML servers can be fingerprinted, affected, and possibly even crashed.
- DTMF DoS – by entering a large number of tones or adjusting frequency/tone duration, it may be possible to affect or crash DTMF processing software in IVRs. This could be particularly nasty, as DTMF processing is very common.
Collier concludes that since most of these IVR attacks simply involve the transmission of DTMF, they are very easy to execute and automate. These vulnerabilities could impact any IVR, whether it is TDM, VoIP, the latest UC.
rb-
None of these issues seem new to me, they are just new applications of old attack vectors.
Who remembers blue boxes or the most famous phone phreak John “Captain Crunch” Draper.- Info harvesting is a typical technique in web 2.0. Attackers successfully harvest personal info from websites like LinkedIn all the time.
- Does VXML injection = SQL injection? time for the programmers to step up.
- DTMF DOS can lead to a buffer-overflow, are your systems patched?
All in all these vulnerabilities create IVR security threats.
Related articles
- Voice/VoIP/UC Security Intro – First Excerpt from Our Voice Security Report (voipsecurityblog.typepad.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.