Presentation Material
Abstract
CXML and VXML languages are used to power IVR applications. IVR systems are often seen in Phone Banking , Call Center applications, and other auto attendent systems. These devices are connected to internal networks and data bases. The input to these devices are via DTMF and Voice inputs, and all the processed data are read out by the system. So any sort of errors triggered by an attacker internally would be read out by these machines and there are a lot of possible attacks on these systems leading to Internal Network security compromise. The easiest way to find these bugs are by doing a source code audit on these applications. This talk will demonstrate buggy CXML and VXML programs and security issues.
IVR (Interactive Voice Response) System:
IVR systems allow a computer to interact with a human via voice and DTMF keypad Inputs. IVR allows a customer to interact with a company database via keypad or by speech recognition. The procedure is simple, the customer dials in a number via his phone, and he gets connected to the IVR system which is running on the company server. Based on the customers input via keypad (DTMF) and Voice response the IVR system performs the operations. IVR systems are capable from querying the InternalData base to Performing OS related task and many other based on the implementations.
Interactive Voice response systems are implemented in various places like Phone Banking, Tele Voting,Voice Mail, Customer Support, Automobile hands free operation etc. The paper would address security Issues concerning IVR machine in common using Phone Banking implementation for demo exploitation purpose.
Hacking IVR Systems
These systems are considered secured because they are not connected to Internet and as they use a Peer to Peer GSM, CDMA, Wired Telephone line for transactions. And even though these systems come under the scope of security audits, no relevant tool is there for auditing. These systems have access to internal database and stuff, but no firewall is out there capable of monitoring this “telephone line” traffic. We came across many security issues including Input validation and Logic flaws in IVR systems.
Input Validation Attacks
Input validation attacks would be the one class of Remote attacks we would be demonstrating on these systems, but the issue is that since DTMF keypad tones are the input source to these device and that DTMF signals could only carry 0-9, A-D and +#* characters many input validation attacks would flop.There comes the chance of attacking these machines using Voice Data, since we would be able to convert our payload into voice data and transmit it over to the machine thereby overcoming DTMF limitation. So we would be able to launch attacks via telephone lines using the above methodologies.
Logical Flows in Implementations
Many systems we came across depend on spoof-able sources like caller ID and didn’t have protection against automated attacks. There were a serious of other bugs; possible occurred by misassumption of programmers likely considering IVR systems to be untampered. We will be demonstrating a real world Scenario of a responsibly disclosed Phone Banking bug that made it possible to extract Bank Users ATM pin and account balance information.
AI Generated Summarymay contain errors
Here is a summarized version of the content:
The speaker is discussing vulnerabilities in phone-based systems, particularly those that use DTMF (Dual-Tone Multi-Frequency) input. They demonstrate an example of a vulnerable CGA application that resides on a web server and accepts data from IVR applications. By sending a large amount of data through DTMF input, the internal buffer can be crashed, leading to a HTTP server error 500.
The speaker notes that there are limitations in sending actual shell codes to the server due to the limited character set available through DTMF input (0-9, *, and #).
Another area of research mentioned is the vulnerability of DTMF detection algorithms used in PBX systems, telephone routers, and other applications. The speaker is working on creating a fuzzer that can crash these algorithms by sending different frequencies as input.
In response to a question, the speaker mentions that they have tested some banks in India and found vulnerabilities in their phone banking applications, which could be crashed remotely using DTMF input. This poses a significant risk to the banks.
Overall, the speaker is highlighting the potential security risks in phone-based systems that rely on DTMF input and are working on developing exploits to demonstrate these vulnerabilities.