{"id":19750,"date":"2012-09-25T20:25:01","date_gmt":"2012-09-26T00:25:01","guid":{"rendered":"http:\/\/rbach.net\/blog\/index.php\/"},"modified":"2021-08-13T12:57:39","modified_gmt":"2021-08-13T16:57:39","slug":"ivr-security-threats","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/ivr-security-threats\/","title":{"rendered":"IVR Security Threats"},"content":{"rendered":"<p><a href=\"http:\/\/www.colocationamerica.com\/voip\/ip-ivr.htm\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-109328\" title=\"IVR Security Threats\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/ivr.jpg?resize=98%2C110&#038;ssl=1\" alt=\"IVR Security Threats\" width=\"98\" height=\"110\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/ivr.jpg?resize=134%2C150&amp;ssl=1 134w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/ivr.jpg?resize=67%2C75&amp;ssl=1 67w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/ivr.jpg?w=268&amp;ssl=1 268w\" sizes=\"auto, (max-width: 98px) 100vw, 98px\" \/><\/a>On his excellent <a accesskey=\"1\" title=\"VoIP\/UC Security Blog\" href=\"https:\/\/voipsecurityblog.typepad.com\/marks_voip_security_blog\/\" target=\"_blank\" rel=\"noopener noreferrer\">VoIP\/UC Security Blog<\/a>, <a accesskey=\"1\" title=\"Mark Collier\" href=\"https:\/\/voipsecurityblog.typepad.com\/about.html\" target=\"_blank\" rel=\"noopener noreferrer\">Mark Collier<\/a> <a title=\"DTMF Telephony Denial of Service (TDoS) Issues for IVRs\" href=\"https:\/\/voipsecurityblog.typepad.com\/marks_voip_security_blog\/2012\/09\/dtmf-telephony-denial-of-service-tdos-issues-for-ivrs.html\" target=\"_blank\" rel=\"noopener noreferrer\">points to<\/a> some interesting work on Interactive Voice Response (<a title=\"Interactive Voice Response\" href=\"https:\/\/www.techopedia.com\/definition\/1525\/interactive-voice-response-ivr\" target=\"_blank\" rel=\"noopener techopedia noreferrer\">IVR<\/a>) security threats by <a title=\"Rahul Sasi\" href=\"https:\/\/www.blackhat.com\/html\/bh-us-12\/speakers\/Rahul-Sasi.html\" target=\"_blank\" rel=\"noopener noreferrer\">Rahul Sasi.<\/a> IVR systems are used in phone banking, call centers, hospitals, and corporations mainly for information retrieval and account management via phone lines. As a security researcher for <a title=\"iSIGHT Partners\" href=\"https:\/\/web.archive.org\/web\/20200327120232\/http:\/\/isightpartners.com:80\/\" target=\"_blank\" rel=\"noopener noreferrer\">iSIGHT Partners<\/a>, Sasi is doing research on a variety of <a title=\"Vulnerability (computing)\" href=\"http:\/\/en.wikipedia.org\/wiki\/Vulnerability_%28computing%29\" target=\"_blank\" rel=\"noopener wikipedia noreferrer\">security vulnerabilities<\/a> that may be present in IVRs.<\/p>\n<p>The author says that IVR security threats are present in IVR systems used for financial transactions. Sasi presented some of his findings at <a title=\"Hack In The Box\" href=\"http:\/\/news.hitb.org\/\" target=\"_blank\" rel=\"noopener noreferrer\">Hack In The Box<\/a> Malaysia 2011 and the video is <a title=\"YouTube\" href=\"http:\/\/www.youtube.com\/watch?v=-y7aIKLgMoM&amp;feature=share&amp;list=PLC5B9F43419619F9E\" target=\"_blank\" rel=\"noopener noreferrer\">available here<\/a>. Collier summarizes the IVR security threats in his blog:<\/p>\n<ul>\n<li><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-109330 size-medium\" title=\"Telcom closet\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/telcom_rack_not_mine-e1571263226205-112x150.jpg?resize=112%2C150&#038;ssl=1\" alt=\"Telcom closet\" width=\"112\" height=\"150\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/telcom_rack_not_mine-e1571263226205.jpg?w=112&amp;ssl=1 112w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/telcom_rack_not_mine-e1571263226205.jpg?resize=56%2C75&amp;ssl=1 56w\" sizes=\"auto, (max-width: 112px) 100vw, 112px\" \/>Information harvesting &#8211; for account numbers and PINs, guessing a static 4-digit PIN for a range of account numbers. The odds of a hit are pretty good. Some IVRs lock the account but reset at midnight.<\/li>\n<li>Injection &#8211; through the input of spoken words (&#8220;test&#8221;, &#8220;.&#8221;, &#8220;com&#8221;, etc.), supporting <a title=\"VoiceXML\" href=\"http:\/\/en.wikipedia.org\/wiki\/VoiceXML\" target=\"_blank\" rel=\"noopener wikipedia noreferrer\">VXML<\/a> servers can be fingerprinted, affected, and possibly even crashed.<\/li>\n<li><a title=\"DTMF Explained\" href=\"https:\/\/web.archive.org\/web\/20170516015735\/http:\/\/www.genave.com:80\/dtmf.htm\" target=\"_blank\" rel=\"noopener noreferrer\">DTMF<\/a> DoS &#8211; by entering a large number of tones or adjusting frequency\/tone duration, it may be possible to affect or crash DTMF processing software in IVRs. This could be particularly nasty, as DTMF processing is very common.<\/li>\n<\/ul>\n<p>Collier concludes that since most of these IVR attacks simply involve the transmission of DTMF, they are very easy to execute and automate. These vulnerabilities could impact any IVR, whether it is <a title=\"Time-division multiplexing\" href=\"https:\/\/www.techopedia.com\/definition\/9669\/time-division-multiplexing-tdm\" target=\"_blank\" rel=\"noopener wikipedia noreferrer\">TDM<\/a>, <a title=\"Voip\" href=\"https:\/\/web.archive.org\/web\/20190710223245\/https:\/\/www.wikinvest.com\/concept\/Voip\" target=\"_blank\" rel=\"noopener wikinvest noreferrer\">VoIP<\/a>, the latest UC.<\/p>\n<p><strong><em>rb-<\/em><\/strong><\/p>\n<p><em>None of these issues seem new to me, they are just new applications of old attack vectors.<\/em><\/p>\n<ul>\n<li><a href=\"https:\/\/www.vo2gogo.com\/demos\/ivr\/\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-109332\" title=\"Ma Bell telephone operators\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/telephone-operators.jpg?resize=111%2C83&#038;ssl=1\" alt=\"Ma Nell telephone operators\" width=\"111\" height=\"83\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/telephone-operators.jpg?resize=150%2C113&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/telephone-operators.jpg?resize=75%2C56&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/telephone-operators.jpg?w=300&amp;ssl=1 300w\" sizes=\"auto, (max-width: 111px) 100vw, 111px\" \/><\/a><em>Who remembers blue boxes or the most famous phone phreak <a title=\"John Draper\" href=\"https:\/\/en.wikipedia.org\/wiki\/John_Draper\" target=\"_blank\" rel=\"noopener noreferrer\">John &#8220;Captain Crunch&#8221; Draper<\/a>.<\/em><\/li>\n<li><em>Info harvesting is a typical technique in web 2.0. Attackers successfully harvest personal info from websites like <a title=\"LinkedIn\" href=\"http:\/\/www.linkedin.com\" target=\"_blank\" rel=\"homepage noopener noreferrer\">LinkedIn<\/a> all the time.<br \/>\n<\/em><\/li>\n<li><em>Does VXML injection = <a title=\"SQL Injection\" href=\"https:\/\/www.techopedia.com\/definition\/4126\/sql-injection\" target=\"_blank\" rel=\"noopener techopedia noreferrer\">SQL injection<\/a>? time for the programmers to step up.<br \/>\n<\/em><\/li>\n<li><em>DTMF DOS can lead to a buffer-overflow, are your systems patched?\u00a0<\/em><\/li>\n<\/ul>\n<p><em>All in all these vulnerabilities create IVR security threats.<\/em><\/p>\n<h6>Related articles<\/h6>\n<ul>\n<li><a href=\"https:\/\/voipsecurityblog.typepad.com\/marks_voip_security_blog\/2012\/09\/voicevoipuc-security-intro-first-excerpt-from-our-voice-security-report.html\" target=\"_blank\" rel=\"noopener noreferrer\">Voice\/VoIP\/UC Security Intro &#8211; First Excerpt from Our Voice Security Report<\/a> (voipsecurityblog.typepad.com)<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><em><a title=\"Ralph Bach\" href=\"https:\/\/rbach.net\/index.php\/new-resume\/\" target=\"_blank\" rel=\"noopener noreferrer\">Ralph Bach<\/a>\u00a0has been in IT long enough to know better and has blogged from his\u00a0<a title=\"Bach Seat\" href=\"https:\/\/rbach.net\/\" target=\"_blank\" rel=\"noopener noreferrer\">Bach Seat<\/a> about IT, careers, and anything else that catches his attention since 2005. You can follow him on <a class=\"broken_link\" href=\"http:\/\/www.linkedin.com\/in\/rb48334\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">LinkedIn<\/a>,\u00a0<a href=\"https:\/\/www.facebook.com\/ralph.bach.14\" target=\"_blank\" rel=\"noopener noreferrer\">Facebook<\/a>,\u00a0and\u00a0<a href=\"https:\/\/twitter.com\/rbach48334\" target=\"_blank\" rel=\"noopener noreferrer\">Twitter<\/a>. Email the Bach Seat\u00a0<a href=\"mailto:\/\/bach.seat@gmail.com\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Is your IVR vulnerable to hacks by DTMF tones they are easy to execute and automate impact any IVR TDM VoIP UC system<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[2197,1748,768,1383,1374,1381,4,1380,1377,1378,1382,1501],"class_list":["post-19750","post","type-post","status-publish","format-standard","hentry","category-security","tag-2197","tag-ddos","tag-denial-of-service-attack","tag-dtmf","tag-interactive-voice-response","tag-ivr","tag-security","tag-tdm","tag-time-division-multiplexing","tag-voicexml","tag-voip","tag-vulnerability"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/19750","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/comments?post=19750"}],"version-history":[{"count":15,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/19750\/revisions"}],"predecessor-version":[{"id":131024,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/19750\/revisions\/131024"}],"wp:attachment":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/media?parent=19750"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/categories?post=19750"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/tags?post=19750"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}