I found some interesting material relating to attacks on Interactive Voice Response (IVRs). Rahul Sasi is doing some interesting research on a variety of vulnerabilities that may be present in IVRs, including in particular, those used for financial transactions. I included links to several presentations below, as well as a description of an upcoming paper. A quick summary of the possible vulnerabilities is:
- Information harvesting - for account numbers and PINs, guessing a static 4-digit PIN for a range of account numbers. The odds of a hit are pretty good. Some IVRs lock the account, but reset at midnight.
- Injection - through input of spoken words ("test", ".", "com", etc.), supporting VXML servers can be fingerprinted, affected, and possibly even crashed.
- DTMF DoS - by entering a large numer of tones or adjusting frequency/tone duration, it may be possible to affect or crash DTMF processing software in IVRs. This could be particularly nasty, as DTMF processing is very common.
Since most of these attacks simply involves transmission of DTMF, they are very easy to execute and automate. These vulnerabilities could impact any IVR, whether it is TDM, VoIP, the latest UC, etc.
HITB Malaysia 2011
Blackhat Europe 2012
Upcoming paper at Nullcon 2012