Spoken Commands Crash Bank Phone Lines

mask.of.sanity writes "A security researcher has demonstrated a series of attacks that are capable of disabling touch tone and voice activated phone systems, forcing them to disclose sensitive information. The commands can be keyed in using touchtones or even using the human voice. In one test, a phone system run by an unnamed Indian bank had dumped customer PINs. In another, a buffer overflow was triggered against a back-end database. Other attacks can be used to crash phone systems outright."

Good

I hate those automated prompts.

Re:Good

[justforgetme]

Especially if after pressing all possible combinations and you finally get to the part where it says "I'll connect you to a human being" the while system blows up and you have to start over. Which in my experience happens approximately 100% of the time.

Re:Good

[SJHillman]

I don't mind a lot of the entirely automated systems (although some are horrible), nor do I mind waiting for a human. However, it's the hybrid systems where you go through anywhere from five to twenty layers of prompts only to be connected to a human who then asks you all of the same questions as the automated system that I really hate.

Re:Good

[JustOK]

Press SQRT(-1) if this annoys you.

Re:Good

[TheCarp]

I don't even mind the hybrid systems, in theory.

What I mind is the last part. I am on with the machine, it collects all the info that a human operator would need, makes sense....helps speed things along, route calls, and keep the actual time of the operator useful, rather than monotonously getting account details....cool.

In reality though, its exactly as you say.... I spend all that time on with the computer, give it all my info, verify my account...and then... the operator gets on and asks for all that info again....

So it didn't save him from monotony, it didn't keep his time useful.... all it did was waste my time.... yay.

Re:Good

[fuzzyfuzzyfungus]

Good Morning, Sir, would you mind confirming your slashdot UID for me before I can respond to your post?

Re:Good

[L4t3r4lu5]

444?

Spamfilter spamfilter.

Re:Good

I don't mind a lot of the entirely automated systems (although some are horrible), nor do I mind waiting for a human. However, it's the hybrid systems where you go through anywhere from five to twenty layers of prompts only to be connected to a human who then asks you all of the same questions as the automated system that I really hate.

Say "operator" when you're dealing with an automated system, and it'll generally hook you straight up to a real live homo sapien.

Now you know.

Re:Good

[h4rr4r]

Wasting your time is good for them, it reduces the number of hangups. Far more importantly It means hold times don't start until after all the prompts have been exhausted. This makes the call center numbers look great.

Record a stupid metric get a stupid result.

Re:Good

[SlippyToad]

the operator gets on and asks for all that info again....

I bitched about that once. Turns out, they are killing time while your screen comes up from their glacially-slow system.

Re:Good

[dywolf]

I do too. "Please say or key in your PIN/Account/Social Security/Member Number" ... ya I want to say my very important number out loud...
luckily USAA lets you key in the stuff too. I've come across some that dont, and I frankly refuse to use them.

But when I saw this article, my first thought was, what do I say to trigger a money dump into my account?

Re:Good

[dywolf]

usually, in the good systems (natch!), you just keep hitting 0, or saying "Representative" or else something that it can't decipher and it'll take you right to an operator, after only about 15 seconds.

Re:Good

Press SQRT(-1) if this annoys you.

My phone has a key for that. j and k too.

Re:Good

[Phreakiture]

Here are the two worst I have encountered:

One was a customer satisfaction survey. For each question, it asked the question, and then followed it with this entire message: "Press 1 for strongly agree; press 2 for agree; press 3 for neither agree nor disagree; press 4 for disagree; press 5 for strongly disagree." Now, I have no problem with this kind of prompt existing, but seriously, after the first question, I get how it works. Oh, I almost forgot: It would not accept any input until it had finished reading off the entire fucking message!

The other is a bank with which we have a loan. The sequence I go through is this: "Thank you for calling the Very Big Bank customer service line. For account information, press 1. For-" I press 1. "To inquire by account number or social security number, press 1. To inquire-" I press 1, but not too early or it just restarts this message. "Please have your account number or social security number ready. To inquire by account number, press 1. To inquire by-" I pres 1. "Please enter your account number." Let's say, for the sake of the argument that the number is 555555555. "One moment, while we retrieve your account." Two seconds pass. "The account number you entered is. Five. Five. Five. Five. Five. Five. Five. Five. Five. Five. If this is correct, press 1. If-" You couldn't have asked me this before retrieving my account? Okay, fine. I press 1. "For a payoff balance or payment amount, press 1. For-" I press 1. "For payoff balance, press 1. For-" I press 1. "The following message contains payoff information. You will be given an opportunity to receive a fax copy at the end of this message. Acount number. Five. Five. Five. Five. Five. Five. Five. Five. Five. Five. Date of the last payment was. September. Third. Two. Thousand. Twelve. As-of. September. Seventeenth. Two. Thousand. Twelve. Your payoff balance was. Fifteen. Thousand. Five. Hundred. Fifty. Five. Dollars-and. Fifty. Five. Cents." I think it is designed to get peoplel to use the website instead.

Re:Good

[azadrozny]

Some companies are getting wise to this. Yes, this will take you to a real person, but that person is often nothing more than a switchboard operator. Many times they have routed me back to the same prompt queue I just escaped from.

Re:Good

[Lorens]

[It's] a human who then asks you all of the same questions as the automated system that I really hate.

I have a supplier whose automated system asks for contract number and system ID's and the like. Once, my system was totally down and the different numbers I had were refused by the supplier's IVR. I remembered hearing that some IVR systems detect swearing. I quite deliberately swore a few times at the system, and it beeped and asked "Are you currently experiencing a severity-1 production outage, press one". I did and got a human immediately. I'll never again complain about their system . .

Re:Good

[sjames]

Swearing often helps too. Some systems take it as a sign you're getting angry and try to head it off.

Re:Good

I don't know about banks, but I've worked in 2 call center jobs: a utility company and a state government agency.
In both places, info entered by the caller was used only to route the call; none of it was passed on to me.

Re:Good

[justforgetme]

On lots of the implementations I have seen either the menu loops indefinitely or it just disconnects you. To be honest though this is something I only have noticed in countries in the Mediterranean. So maybe it is somehow related to economic insolvency?

Re:Good

[rbrausse]

my password is swordfish

Re:Good

[DarthBart]

I always like the systems (I'm looking at you Dell!) that send you through the song and dance of entering information, then when the time comes to hit the queue the system says "We're sorry, call volumes are too high at the moment. Please call back later. *CLICK*".

Re:Good

[morgauxo]

I used to be one of the human beings a person might reach after mashing in those possible combinations. I don't know how awful the system may have been that lead customers to do that. I had no input in making it or access to anyone who did. It may have really sucked but I sure hated those people that got to me by randomly mashing the wrong buttons. They were always so pissed off and difficult when I told them I had to transfer them. What did they expect? Ignore the system that is supposed to be helping you get to the right person, randomly push the wrong buttons and somehow magic gets you the right person? And it counted against my stats if they had to call back again?!?!

Re:Good

[dkleinsc]

See, when you type swordfish, it shows to us as *******

Re:Good

[morgauxo]

Yes, that really sucks. I've been on both sides of that though. When the faceless big corporation that employs you doesn't give you access to that information imagine having to explain it 100 times a day while not putting down the hand that feeds you. I get it that the customer is annoyed but there still isn't anything the person on the phone can do until the customer quits their whining about it and just answers the damn questions already.... yes, again. There could be any number of individuals whose fault it is you are so inconvenienced, IT nazis that will not let the information in system A into system B, bean counters who will not pay to get someone to write the code to send the information to the call center and put it on somebody's computer screen, executives who really don't give a shit since their bonus comes either way, etc... It is highly unlikely the person on the phone wants to ask you any of that crap. They probably wish the information was sent to them even more than you.

Most likely that information was used for something, probably routing your call to the correct call center rather than some other that wouldn't be able to help you. It's unfortunate for both sides when that information isn't sent on to the individual who actually answers.

Re:Good

[justforgetme]

I wasn't talking about randomly mashing the buttons, but just trying to find the menu that does what you want without any success because it doesn't exist. Leading to the aforementioned every possible combination

Re:Good

[atomicxblue]

It's my experience that these systems collect all the info a human operator would need, but when it eventually connects you to a human operator, they have no clue who you are and have to gather that information all over again. Why not just save time and money by playing hold music and have the customer give their information to a real human once?

Re:Good

[atomicxblue]

There are some systems out there that offer to call you back in the event of long hold times. All companies should think of implementing this!

Re:Good

I actually make these kinds of systems for a living. If a system doesn't do this (it's called a ScreenPop) it's usually a matter of cost, or the inability to tie systems acquired at different times together. It always drives me nuts when I run into this.

Re:Good

[TheGratefulNet]

close but not quite: that is actually a starfish!

Re:Good

[atomicxblue]

Oh, no! Tactics like that would lose me as a customer. If an IVR does not have the dual ability to use the keypad, it's generally very difficult for me to use their systems. I have a moderate Southern accent and the IVRs have a difficult time distinguishing between the phonemes I use. (Think more like DeForrest Kelley's softened Southern accent and less like Dolly Parton.) Most of the IVRs I've encountered build their language processing phoneme database using General American, which is pretty much a made up account like Perceived British Pronunciation, or "BBC English". They discount the number of regional accents in the US and lead me to believe that native people from the Bronx or Boston would have similar issues.

They are so horrible that if I say something like "Billing", I fully expect the systems to go full on Family Guy and come back with: "You have selected, 300..."

Re:Good

[Obfuscant]

They were always so pissed off and difficult when I told them I had to transfer them. What did they expect?

Good customer service from a company that truly cares about their business and doesn't waste their time playing through an endless cycle of "press 1 for this" or "press 2 for that", usually after starting the cycle with the useless "please listen carefully to the options because our menu has changed", when the menu hasn't changed in two years. A company that clearly offers "None of the options fits, press 0 for a person who is trained to assist you" instead of simply repeating the same three or four irrelevant options when you press 0 to try to get help.

A company that doesn't force you to "press or say your 15 digit account number" and then force you to say your 15 digit account number to the next three people in a row you talk to, because none of them are able to do anything to help and none of them are able to pass your information along to the next person?

How about customer service that doesn't keep interrupting the hold music to tell you that you can do what you want to do on "w w w dot whatever" and it is faster and easier, when what you are calling to talk about is HOW THE FUCKING WEBSITE IS FUCKING BROKEN AND WON"T LET YOU DO JACK SHIT? Or even not interrupting the hold music AT ALL until it is time to talk to someone, because every time a voice comes on the line you think it is a real person and you stop whatever else you are doing to ... listen to a repeated sales pitch that doesn't help.

Sorry, but you asked.

Re:Good

[ericloewe]

Sure it does, it's the 4 on a keypad

Re:Good

[AK+Marc]

Call backs suck. You end up either holding anyway, just with the phone hung up, or you miss the call when you step in the shower. The call back systems I end up getting don't give a reasonable time for response. Once, I was calling as I was getting ready to leave. I gave them 20 minutes to call me. Nothing. Then I left and came back to a call log that was them calling every 10 minutes for 2 hours (starting 5 minutes after I left the house). Then I sat at home for another 2 hours before they actually did call back and get me.

Re:Good

[AK+Marc]

Not any more. pressing 0 and saying "operator" used to work, but they are so common that the big people just say "that was an invalid option, please choose from one of the following options." These days, repeatedly mashing "1" gets you to a person fastest. They even plan on it, as that was the "old person" version, where they don't ever listen. Ever wonder why the Spanish choice has you pressing 2 or 4 or something? So that if you hit 1 repeatedly, you'll end up at the "regular" operator pool, not the Spanish one they have to pay more for.

Re:Good

[AK+Marc]

I've been on both sides of that though. When the faceless big corporation that employs you doesn't give you access to that information imagine having to explain it 100 times a day while not putting down the hand that feeds you. I get it that the customer is annoyed but there still isn't anything the person on the phone can do until the customer quits their whining about it and just answers the damn questions already.... yes, again.

There's no reason to answer the questions twice (aside from the evil corporation being too cheap/stupid to set up their expensive IVR correctly, which isn't acceptable to me as a customer).

It's unfortunate for both sides when that information isn't sent on to the individual who actually answers.

If it were that unfortunate for the faceless megacorp, they'd send the information they've already gathered and verified to the person on the phone. Otherwise, it's much much easier for the caller to just route it to a human. There's no benefit to the caller to go through a non-integrated IVR. At worst, there are slightly longer hold times as the answerer has to route calls. But that's better than entering the 16 digit account number mutliple times, only to read it off once again when actually through.

Re:Good

I did outsourced tech support for a certain American ISP. We didn't get that data from the client, so we had to ask the customers to give it to us. As far as I could gather, the client's in-house tech support in certain markets did get it.

Re:Good

I wish there was a "horrifying" moderation option. You get Informative instead.

Re:Good

[AK+Marc]

The "correct" buttons got me to the wrong department. I wanted to make a payoff, not make a regular payment, and the people who accept payments can only tell me my current due, not lock in a payoff amount. So, call back, same IVR, same wrong department. Call back, deliberately press the wrong buttons, get to an "operator" that can route me to the right person. IVR fails, wrong buttons get me what I was looking for.

And it can't count against your stats if they call back if they were in the wrong department. At least it couldn't where I worked, the "cases" didn't accept "wrong number from customer #112221321", but they took "wrong number" without identification. So if they called me wrongly 10 times, my stats looked better. The average call time of a "wrong department" was very very short. But then, I was in an outsourced call center, so I couldn't transfer them to anyone, so I'd offer them a different number, and if they complained, hang up on them. After all, a complaint to my manager was telling my manager that I had great numbers, and "customer satisfaction of incorrectly routed calls" wasn't a metric. So all complaints were good for me, not that I ever had one, but others did.

I called the number myself a few times to see what customers had to do to get to me. I think that call center workers should be required to do that at least once a week. Some were easy, some were nearly impossible. Nearly all pissed off the customer before they got to a human.

Re:Good

[AK+Marc]

Danmed straight. If you don't get a human (or your question answered for truly automated things like account balance and payment info or such) by about 3 menus deep, then you need to ditch the IVR and go back to human call routing. It's just too complicated to expect the general users to get where they are going, or you have 10,000 departments and nobody knows what goes where (I'd estimate about half the IVRs I've had to use had at least one invalid choice).

Re:Good

I will double this.

I work at a call center with several layers of options and choices. Only a single factor is relayed to me, and that is if you ultimately chose "X" or "Y", and that is only because it comes in on a different line on my Caller ID.

We have a system where after a certain amount of holding time (also starting when you enter the queue, not place the call) it will offer to leave a voicemail that will take us 1-2 days to respond to.

Re:Good

[firex726]

http://gethuman.com/

FTW!

Re:Good

Call back systems are for peopling who don't know how to put the phone speaker with mute. Many cordless phones can even do these.

Re:Good

[noobermin]

So instead of a fish shaped like a star, it is a fish composed of tiny stars?

Re:Good

The database at http://gethuman.com/ is an excellent resource for learning how to navigate these annoying automated phone systems used by most large companies.

Re:Good

What about those systems that start with a 1min speil about if you need X, you can visit our website at h-t-t-p-colon-......
if you need Y .....

2min pass before you can press an option!

Re:Good

It's a serious problem that is neccesary solve. The the communication by phone line is very neccesary for all people and business. Many daily activities are allowed by this method of comunication. As example, some people use internet conection by phone, and important conversations are done by this technology. google.com

Re:Good

[jmcvetta]

I've found a bit the opposite: saying "agent, please" has good results at getting thru to a human.

Re:Good

[KevReedUK]

One large financial I used to work for had just such an IVR system in place. It would go through its response tree allegedly (from the customer's point of view) to correctly route the call and provide the call-center agent with all the info they needed to hit thr ground running.

The truth, however, was something of an unfortunate surprise. The surprise wasn't that the agent wasn't provided with the information (I kind of expected that!), but more that the entire response-tree and it's complexity were a psychological move to make the customers think that they were in control of the length of time they were on the phone whilst the whole time the question and answer session was really just there to disguise the high hold times caused by the management being to cheap to recruit enough staff!

Apparently, someone important came up wit the idea that customers would prefer to spend the time answering questions than listening to music.

Re:Good

Would that be the math department notation (i) or the electrical engineering style (j)?

Re:Good

[AK+Marc]

Best use ever. The problem with where I worked on the phones is the IVR was managed by the company, and the call queues managed by the outsourced call center. So the person setting up the IVR had the incentive to make the IVR as short and simple as possible. But when I've worked setting up the phone systems, I could have done that, but the internal call center had more customer-oriented metrics, and hold time wasn't one of them.

Re:Good

Dealing with my internet being down and having to ring my telco repeatedly (only to get different advice from different people), I noticed that if I said "I DON'T KNOW" loudly enuf in response to three questions it puts me through to a human.

Re:Good

[RockDoctor]

Why swear when you can just answer the questions in a variety of languages until the machine's brain explodes. The machine can't tell the difference.

Re:Good

[sjames]

Because it's funny to swear in a monotone and have the machine act as if it's some sort of root password.

Re:Good

[RockDoctor]

Ah, I bet that you whistled-up fax machines and told them to print 100 blank pages when you were a kid.

Re:Good

[TheCarp]

At a previous job, we had a ticketing system, it was terrible.

It could email, out only, not capturing email threads like RT. Its emails were useless.... with a page or so of useless data, only the ticket number being relevant.

I always blamed the system, but, as it turns out, its highly configurable, it was always a matter of cost. Then to top it all off, they only bought a limited number of seats, so you would be kicked out (and your changes not saved) after just a couple of minutes of inactivity.

I have to imagine that the productivity lost due to the peculiarities of how they chose to save money on the product more than sucked away whatever cost would have been paid up front to do it right.

When they switched to this system.... the managers who decided on it had nice new fast machines... while the help desk (who had to use it all day) were on scavanged P90s. The company tried to institute a 4 minute average turnaround time for calls... except...it easily took longer than that just to log a call in the ticketing system, I used to hang out with the helpdesk guys and they spent half the time applologizing for how slow the system was!

At least that was just a matter of the helpdesk head blowing a gasket at upper managers and telling them that they should come down and try to log a ticket in 4 minutes on a helpdesk machine to get them new dekstops.... but the rest of the problems were still there a decade later.

Social engineering

[BSAtHome]

How is the turing test doing for social engineering an automated system?

Maybe the system commited suicide after listening to those humans and just decided it was not woth it anymore.

What?

[ledow]

You decided to link to explanations of touch-tones and buffer overflows? On Slashdot? Really?

And yet the article basically parrots the summary with no more information.

Re:What?

[RaceProUK]

buffer overflows

Not everyone on here is a programmer.

Re:What?

[TWX]

I'm not a programmer and I know what a buffer overflow is...

It's when you use too much polishing compound on your buffer and it squirts out everywhere and ruins the paint on the car, right?

Re:What?

[RaceProUK]

Meh, why not?

It fulfills the car-analogy requirement for this article at least.

Re:What?

[JustOK]

But ignores pizza

Re:What?

[TWX]

Ever contemplate how much pizza you really eat, by volume?

Let "a" be the thickness of the crust, and let "z" be the radius.

So, the volume of your slice, depending on how it's cut, is a fraction of pi*z*z*a.

Re:What?

[L4t3r4lu5]

That's not a pizza, that's a flatbread.

Bazinga!

Re:What?

[wonkey_monkey]

You decided to link to explanations of touch-tones and buffer overflows? On Slashdot? Really?

That is how hypertext is supposed to work, y'know. No-one forces you to click a link if you don't want any more information.

Re:What?

[AbhiTheOne]

Nice !!

Re:What?

[FireFury03]

You decided to link to explanations of touch-tones and buffer overflows? On Slashdot? Really?

That is how hypertext is supposed to work, y'know. No-one forces you to click a link if you don't want any more information.

After reading the article and finding it had no more information than the summary, I clicked the other links expecting them to be a more in-depth article on the same subject... I was disappointed.

Re:What?

[MobileTatsu-NJG]

Press one if you'd like to see those links again.

Re:What?

I know what a buffer overflow is...
It's when you use too much polishing compound on your buffer and it squirts out everywhere

Buffer eh, that's a new term for it I guess... ;-)))

Re:What?

[TheGratefulNet]

except that you end up with a black hole when you try to divide by tomato.

Re:What?

[Reziac]

Crap. I tried that and wound up with anchovies!!

Re:What?

[Reziac]

I said "Transfer" and wound up on Slashdot. WTF??!!!

Would you like to hear other people's PINs?

[pr0t0]

To hear the PINs of our other customers, please press 1, or say "yes" now.

Re:Would you like to hear other people's PINs?

[frostfreek]

0000
0001
0002
:
9999

Re:Would you like to hear other people's PINs?

[GonzoPhysicist]

Haha, my PIN isn't on this list. On that note, is there a limit to the number of digits in a PIN?

Re:Would you like to hear other people's PINs?

Sadly, my bank limits it to four digits.
After mentioning to the bank manager that this not ideal, at least he agreed and offered me a copy of his letter to "corporate" as a template for my own. He didn't to it for me, but he helped quite a bit.

Re:Would you like to hear other people's PINs?

[kat_skan]

That's amazing! I've got the same combination on my luggage!

Re:Would you like to hear other people's PINs?

[Critical+Facilities]

10001110101

Re:Would you like to hear other people's PINs?

[AK+Marc]

The US standardized on 4-digits no more, no less. Much of the rest of the world allows for (some require) 6-digits. I have never gotten money out of a machine that required 6-digits for my American card with 4-digits.

Re:Would you like to hear other people's PINs?

[jkflying]

In my country they usually go up to 5, but I know when I travel to the US/EU the ATM only accepts the first 4.

SQL Injection via voice?

[Gotung]

"In one test, a phone system run by an unnamed Indian bank had dumped customer PINs" Sounds like a SQL injection attack, via voice. Lol. Little Bobby Tables strikes again.

Re:SQL Injection via voice?

My money is on it not being purely by voice, but prepped with online banking. The attacker probably set their name or security question to Bobby Tables, then used the standard voice prompts to have the voice system attempt to say the name/security question/etc, which then ran the queries un-escaped

Re:SQL Injection via voice?

[LordLimecat]

The article indicates that the attack was done by speaking attack commands.

Re:SQL Injection via voice?

[michelcolman]

You seem to know more about this... hmmm...

Re:SQL Injection via voice?

"Thank you for calling Mega Bank. Please say 'Customer Service' or 'Loan Application'."

"SELECT password FROM members"

"It sounds like you're trying to hack our system. Please hold while I access that data."

Re:SQL Injection via voice?

Some years ago I worked for a small telecom, our system (and everyone else using the voip engine) was (is?) vulnable to injection attacks via. SIP headers; we where very much aware of this, but getting the maintainer to fix it was impossible.

Re:SQL Injection via voice?

Bobby Tables, or failing that Kevin Mitnik. I'm sure Kevin damn near came when he heard about the possibility of these attacks.

Re:SQL Injection via voice?

The article indicates that the attack was done by speaking attack commands.

Attack commands?

"DIE AND BURN IN HELL, YOU STUPID FUCKING PIECE OF SHIT VOICEMAIL SYSTEM!"
"Okay. I will die now."
*sound of distant explosion*
"...huh. Cool. I didn't think it'd be that easy."

Re:SQL Injection via voice?

Buffer overflow != SQL injection. They are similar in that both involve submitting an input to a system that the system treats as being shorter than it really is so the rest causes some unintended behavior. The difference is that in a buffer overflow, the size is some fixed buffer length and for an SQL injection, the input is being used in a quoted string inside an SQL code block so the input just includes an end quote and then SQL code to execute. Buffer overflows tend to be significantly more difficult to make into vulnerabilities as opposed to just crashes. Also, there is an easy protection against them (at the cost of performance... which likely doesn't matter for this system) of simply not using a programing language with manual memory management (i.e. C or C++).

Re:SQL Injection via voice?

[SlippyToad]

Computer: Sic balls!

Re:SQL Injection via voice?

[omnichad]

"Shall we play a game?"

Re:SQL Injection via voice?

[Gotung]

The summary clearly states the the buffer overflow attack was a different attack from the one that dumped the PIN #'s.

Re:SQL Injection via voice?

I heard it only works if you shout when you say "SELECT" and "FROM"

Re:SQL Injection via voice?

[Obfuscant]

The article indicates that the attack was done by speaking attack commands.

Sit!

Stay!

Good dog, Ubu!

Re:SQL Injection via voice?

[AK+Marc]

A buffer overflow is an input so large that it overflows the available space for the input, and the remainder of the input overwrites something else, usually resulting in a crash, but sometimes can be crafted to allow arbitrary remote code execution. SQL injection is a form of arbitrary/remote code execution where the input (or portion thereof) is treated as a command. They can both be forms of arbitrary code execution, and thus, for a general release article are equal.

Oblig

[gmuslera]

Wonder of something like this happened.

brings a tear to my eye

oh for the days of 2600

Re:brings a tear to my eye

[ElmoGonzo]

Long Live Captain Crunch!

1337

I noticed that in the video, the sequence 1337 appeared regularly. So either phone systems are especially vulnerable to this sequence, or it is a fake video where they thought it would be 1337 to use that sequence.

The 127.0.0.1 in the top line makes me suspect even more that the video indeed is fake.

Re:1337

[omnichad]

Right, because it's only real if they record video evidence of them committing a felony and not using a test system set up to emulate the real-world environment.

Re:1337

This is the guy's personal pin for his account... he thinks it's clever to show you he typed that and it came up with something while all the time it was his own account. He does nothing in the video except extremely poor and slow fuzzing.

I work with IVRs all day and nothing in the article is remotely feasible.

Re:1337

[AK+Marc]

I was going to say that the systems couldn't even know the pins, as that's insecure. But I recently had to call my building security. They asked me my PIN. "1234" No, but you got the first number right. "Oh, then 1111" yes. So the security guy was reading off my pin on the screen. Kinda makes the point of a PIN useless if anyone in security knows it.

Video of the talk

[Tryfen]

You can you watch a video of the talk on YouTube - or read the slides at BlackHat.

Fairly interesting to see how buffer-overflows can occur in the most unlikely places.

Re:Video of the talk

Only in computers can one actually put 10 lbs. of shit in a 5 lb. sack!

Re:Video of the talk

[bouldin]

There's more detail here, including links to papers: http://voipsecurityblog.typepad.com/marks_voip_security_blog/2012/09/dtmf-telephony-denial-of-service-tdos-issues-for-ivrs.html

Re:Video of the talk

[RaceProUK]

That's compression for you!

Re:Video of the talk

[NatasRevol]

I need to do more sit ups.

Re:Video of the talk

[jittles]

I'm sorry, I know this guy probably isn't a native English speaker, but he is a horrible presenter. One of the worse I have ever seen. It doesn't seem like he practiced or anything, and you can tell he is terribly uncomfortable. The presentation is also very long, and not very interesting most of the time.

Re:Video of the talk

[MobyDisk]

I don't dare run Powerpoint files or Word documents I receive from my relatives. Yet here I am downloading one from Black Hat and I feel perfectly safe. The world has gone mad.

Re:Video of the talk

I've been involved in the building and testing of IVR systems. Injection and overflow are possible, but less common. Denial of service and brute force attacks are more likely to be successful given the nature of how many applications are built.

IVR applications tend to be written as thin, dumb applications around the data source. On a positive note, banks, and other financial institutions, rarely expose data as a database. Most of the FI interfaces I've experienced are either proprietary (text message blocks are the most common) or if a standards method is available, Web Services. I rarely see IVR applications that validate data and therefore allowing ABCD in. * and # are often terminating characters, but some can still end up with input. If the FI data interface isn't validating the data, there will likely be problems.

Speech reco systems, today, aren't too bad. Grammar design restricts results (semantic interpretation) and most applications just fail if they have an unknown SI value. However, as speaker independent dictation models become more successful, it is possible that raw input might make their way into data requests. However, I suspect when that happens, it will be tied into the same logic used by web servers cutting down the attack surface.

Re:Video of the talk

[cffrost]

[H]e is a horrible presenter. One of the worse I have ever seen. It doesn't seem like he practiced or anything, and you can tell he is terribly uncomfortable.

I didn't watch this presentation, but your post reminded me of Elon Musk's appearance on The Daily Show. Blushing, glistening in sweat, strange answers, etc. It seemed like he'd never spoken in public before, and I was half-expecting him to flee the interview at any moment.

Re:Video of the talk

[jittles]

He wasn't sweating, and didn't look like he would flea in terror but he had DTMF tones blaring loudly from his powerpoints, had long pauses where he had to figure out what he wanted to say, and was constantly saying "Umm umm umm." This is why most universities require you to take public speaking classes, and things of that nature. At my last company I would go to a tradeshow every year and give 2 presentations a day for a week. I also gave demos to government officials (Including a 1-star [Brig. General] and a 3-star equivalent[Undersecretary of Defense]). If I presented like this guy did, they would have replaced me a long time ago. I know some people think that they can never get over their nerves and make great presentations, but it really is an acquired skill just like any other. The more you practice, the better you will do. I would practice my demo in front of several hundred coworkers before I left for every show, just to get reacquainted with a large crowd. Its better to embarrass yourself in front of your coworkers than an entire room of strangers.

Re:Video of the talk

[platypusfriend]

I've seen Elon Musk speak in public, elsewhere, and he was pretty confident. Shrug. Must have just been a bad day for him on The Daily Show.

Re:Video of the talk

I'm sorry, I know this guy probably isn't a native English speaker, but he is a horrible presenter. One of the worse I have ever seen. It doesn't seem like he practiced or anything, and you can tell he is terribly uncomfortable. The presentation is also very long, and not very interesting most of the time.

He's from India and likely learned English growing up. They just speak it very differently. Still, you're right his style is horrible. I've seen worse, in person, once. His writing is horrible too.

If an attacker could trigger exception in DTMF processing algorithms, then they could crash the entire application server making a single phone call, causing the entire Phone banking in accessible, or no calls to the costumer service goes through.

It's like no one every proof read the abstract.

Re:Video of the talk

[TheGratefulNet]

but you'll see the strangers only once; and you'll have to see your co-workers again and again. how is this better?

Re:Video of the talk

[jittles]

but you'll see the strangers only once; and you'll have to see your co-workers again and again. how is this better?

That's exactly my point. If are a good employee then your coworkers will value you despite your embarrassing attempt to present to them. You only get one attempt at showing those strangers that your product (whether it is you as an employee, or your company's product) is worth the money. If you mess that up, the game is over. But if you've had a great career and you get a little bit of stage fright in front of your coworkers, they will (in my experience) genuinely offer constructive criticism and help you to do a great job selling the company.

Re:Video of the talk

[AK+Marc]

I'd go with:

It's like no one every proof read, the abstract.

Re:Video of the talk

[AK+Marc]

I guess I never got into the good stuff. All the work I did with IVR was ACR-only. The "integration" was to play inputs back into a sandboxed program that sent the numbers to the customer service rep that answered the phone (no integration with the other systems, other than cut and paste). It wasn't sandboxed for security, but cost reasons. I can see how an input could theoretically exceed the input length and cause an overflow, but, every ACR I've ever dealt with let you set a max (set to 20 or so by default), and you'd have to work really hard to allow some overflow.

Re:Video of the talk

[mgcarley]

I'm a foreigner living in India, and presentation skills are not a strong point of... well... almost anyone... because most people don't have to make presentations, and it's not really taught here.

Forgetting the language/accent issues (I can deal with those), often they're just incredibly boring - I've had to fight the urge to fall asleep at almost every conference I've been to - there's no charisma at all and they frequently ramble on about nothing.

Those that can present well were often educated overseas, and the resulting hierarchy/society, unfortunately, reflects it: those that got the advantage to begin with keep their advantage and those that learn from these local guys that teach you to "speak like James Bond" (yes, seriously - http://goo.gl/GRQoK), well... you get where I'm going.

To add insult to injury, I've also seen people try to fit WAY too much stuff on to each slide (8 point text even on a large projected screen is still damn near impossible to read), though this isn't strictly limited to India - I've seen this in the west as well.

One trick

[kilodelta]

If you have the knack for it, whenever you encounter and IVR is to repeatedly scream a phrase at it, something like 'agent'. Good systems recognize the word and put you through to a human post haste. Shit systems, which are the predominant type, have something like a 30 or 60 second timeout before requiring human help.

Re:One trick

[P-niiice]

I do this and get more and more pissed everytime I have to yell "Agent" at it. My kids get a huge laugh out of it everytime too.

Re:One trick

[fuzzyfuzzyfungus]

If you have the knack for it, whenever you encounter and IVR is to repeatedly scream a phrase at it, something like 'agent'. Good systems recognize the word and put you through to a human post haste. Shit systems, which are the predominant type, have something like a 30 or 60 second timeout before requiring human help.

Some systems may actually be responding to the vocal stress cues. In an effort to pretend to care, while minimzing the number of actual humans needed, some designs will prioritize the ones that sound increasingly angry so as to get them dealth with and out of the way. I find that it generally isn't difficult to convincingly emulate boiling rage, and(depending on whether the phone drone knows he is being dumped into a rage call or not) immediately switching to polite-and-businesslike when the human comes on usually works pretty well.

Re:One trick

[PRMan]

Pressing 0 works on a little more than half of systems. Make sure you keep pressing 0 in response to every prompt.

Re:One trick

[MachDelta]

Have you tried "I'm going to stab you in the EEPROM" ?
It worked for Frontalot...
kinda....

Re:One trick

[omnichad]

Sometimes rapidly pressing 0 instead of pressing it for each prompt gets you in faster.

Re:One trick

[Obfuscant]

some designs will prioritize the ones that sound increasingly angry so as to get them dealth with and out of the way.

I can't figure out whether you put an extra 'h' on 'dealt', or an extraneous 'l' in 'death', but I guess either way they are "out of the way".

Re:One trick

[AK+Marc]

These days, I think the fastest way to get a human is to do nothing at all. Don't say "agent" don't press a button. Just sit there. Someone once told me that they are required by law to route them to a person within a minute or two as part of the ADA. No idea if that's true, but that's what I was told once by "some guy."

Re:One trick

[AK+Marc]

I've found ones that hang up on me if I press 0. "I'm sorry, that input is invalid, goodbye."

Re:One trick

[Errol+backfiring]

I thought the magic word was "shibboleet"? (see http://xkcd.com/806/)

Re:One trick

[himself]

My sister works for a bank, and attended a vendor presentation about software that monitors IVR calls. They found that they got good results when listening for two keys phrases before transferring people directly to a Retention Specialist operator: "ridiculous" and "bullshit."

Naturally, I now answer "agent" to every prompt and then switch to "this is ridiculous bullshit" after a couple of tries.

Re:One trick

[Reziac]

And on others, say "Operator" or "Transfer". The latter seems more commonly to work on those that like to respond with "I'm sorry, I didn't understand/get that" to any unexpected input.

This is...

The computer equivalent of shouting "jump" at a stock broker who's out on a ledge during a massive margin call...

Very Welcome Message

"Hello, welcome to abc trading. Please press 1 for customer services, 2 for finance and ##*?\\ for anything else."

User input needs to be filtered, and the interface should ONLY accept certain values (the known inputs) before moving onto the next stage of processing.

Re:Very Welcome Message

[seann]

buffer overflows etc

Dilbert would be proud

[murcon]

Heh. For some reason this reminds me of the "shower scene" from the very first episode of Dilbert (the animated series), where Dogbert is attempting to hack Dilbert's voice-activated shower temperature control.

http://www.youtube.com/watch?v=7MqhBL9eEts

Re:Dilbert would be proud

[TWX]

DNWTFV...

I'm sorry, but "shower scene" and "Dilbert" do not belong anywhere near each other.

I had an involuntary mental image that it'd be like the shower scene from Starship Troopers but with the Dilbert characters, and then I threw up a little bit...

Re:Dilbert would be proud

Sounds like your brain is vulnerable to relatively unsophisticated hacks. You should probably look into that.

autotune required

[jickerson]

The commands can be keyed in using touchtones or even using the human voice.

To bad i'm very much tone deaf

Cap'n Crunch

[rueger]

Wow - surely you could find a way to work in a Cap'n Crunch whistle?

Use a Sponge Bob Happy Meal toy

[srussia]

To bad i'm very much tone deaf

Get all the details in next quarter's 2600!

Who cares? Phone service serves no purpose

[gelfling]

Seriously, phone support? That's a waste of all time and effort. So is online chat support, email and talking to anyone in person if they even exist.

Re:Who cares? Phone service serves no purpose

ESP is the way to go.

Re:Who cares? Phone service serves no purpose

[NatasRevol]

Everyone should have direct access to the databases!

Secret phrase

[PPH]

"All your PINs are belong to us!"

Re:Secret phrase

Tea. Earl grey. Hot.

Re:Secret phrase

Tea. Earl grey. Hot.

Destruct sequence confirmed, Captain.

Re:Social engineering--PenTest?

[BoRegardless]

Penetration Testing?

Must not know of such things in India yet. Seriously behind China.

Windows!

[mccabem]

If humanity has any luck left this will spell the end of shitty automated phone systems (which is about 99.9% of them). With Windows as my bell weather, I'll not be holding my breath.

Really, Slashdot?

[korgitser]

Nobody reckognizes TFA as being about phreaking? You know, this kind of stuff dates back ages. Kevin Mitnick even had the superpower to whistle nuclear missiles into flight... True Story(TM).

FUD

So as far as I can gather the "SQL injection" relies on using the star key to enter a PIN which is converted to a numeric sequence that translates to true (1) or false (0). e.g. 1234*0, 1234*1
And what IVR is stupid enough to do this? The one that he wrote himself - there is absolutely no real world example of any of these vulnerabilities being real world vulnerabilities.

Re:FUD

Star key is part of DTMF spec, I'm not sure exactly how it applies to this case as I've not yet seen the whole presentation. Also, he did mention that he found a real world bank with this vulnerability, but he doesn't get specific, so it's hard to believe.

http://en.wikipedia.org/wiki/Dual-tone_multi-frequency_signaling

Re:FUD

Yes - the buffer overflow error that he finds is in a cgi script that is called by the IVR service - well, presumably the partner web application would also be using that CGI script, so there is no real evidence that IVRs are any more or less vulnerable than any other system. In fact, because of the limitations they are much less vulnerable than systems with broader ranges of input (in my opinion).

Which IVR systems

Anyone know which IVR systems they're targeting? I work at a mid-sized provider and am curious :D

Re:Which IVR systems

I watched the presentation and it is complete FUD.

He has some demo apps and looks to be using Voxeo Prophecy but he has written the VXML himself - it looks static. The vulnerabilities are nothing to do with real world systems...

seen it done. not new.

[gigne]

Working in the industry, and having to read low level logs all of the time, I see this frequently.
People will call up, wait for a silence, and after 500ms start pumping down DTMF signals. Often they do this with seemingly random patterns 3-4 times before giving up.
often times they retry promps with longer and longer strings. This is old news.

I am guessing there is a wardialler in ther that is looking for specific systems at the other end. Sort of known phreak attacks.

Weird things like this exist and have existed for a long time. Hardware and software suppliers check for this now. We routinely check for stuff link this in dev and QA.

The submitter is doing nothing new, nothing unknown or even clever. These sorts of phreaks are older than I am. meh.

Re:seen it done. not new.

[oodaloop]

Right. First thing I though of was the whistle from Capn Crunch.

Re:seen it done. not new.

[cffrost]

In the mid-1990s there was a DOS program called Code Thief, which would dial an 800* number, enter a telephone number known to be answered by modem (e.g., multi-line BBS), enter an authorization code (4-6 digits, IIRC), then keep a log of which codes resulted in successful connection.

* I don't know what these 800 numbers were exactly, but I was told they were intended to allow corporate business travelers to make LD calls from payphones/hotel phones at their employer's expense. The 800 numbers themselves were distributed via HPAVC BBSs and VMBs.

Re:seen it done. not new.

Sounds like someone has just got onto the fitness center treadmill with a smartphone in their pocket, and manage to activate the phone app.

Re:seen it done. not new.

There were quite a few war dialers, e.g. find'em was another for DOS. Blame wargames for making them popular. The 800 numbers would have been X25 gateways such as Tymnet + International Packet Switch Stream.

Re:seen it done. not new.

[gigne]

sometimes it is almost certainy this... the ones that clearly are not are the ones waiting for prompts.

Re:seen it done. not new.

[wmbetts]

One of my favorites was Toneloc.

example exchange

[goffster]

are em minus f slash root
Permission Denied
sudo are em minus f slash root
no home directory

The fingers you have used to dial are too fat.

The fingers you have used to dial are too fat. To obtain a special dialing wand, please mash the keypad with your palm now

missing content and a few errors

I'll leave it as an excersize to catch errors (http://www.w3.org/TR/2002/WD-voicexml20-20020424/#dml6.1 -- vxml only/ I think he wanted maxspeechtimeout).

Many of the concerns are valid but not well explained. I also didn't see much mention of Speech-to-Text / Audio Mining. This focuses mainly on ASR
(automated speech recognition). Also, there isn't much mention the many diferrent ways these applications can be written (pure vxml / dynamically generated / non-vxml etc).

The main problem is that IVRs are more vulnerable than operators and systems. It is quite easy to brute force an IVR w/ a few digium cards and a bit of ANI spoofing. Just ask a coporate pbx tech. If they are paying attention, they should see these all the time (mostly trying to find a way to hijack free international long distance).

Try this...

[ctrl-alt-canc]

At the voice prompt, yell "Format c" followed by "yes!".

Re:Try this...

[Frank+T.+Lofaro+Jr.]

You forgot the colon.

at the tone

"at the tone please say your name" *BEEEEP* "admin"

"press 1 to make me your bitch"

The elephant in the room - C

[Animats]

The problem remains the C language. C (and C++) is the only remaining major language prone to buffer overflows.

This can be fixed. See "Safe arrays and pointers for C through compatible additions to the language". This is a proposal for a "strict mode" for C which prevents buffer overflows. It's been discussed on Lambda the Ultimate, the C standard newsgroup, and the GCC development list, and with each round of criticisms, the design is tightened up.

This proposal includes a "strict mode", in which the rules are tighter, and ways to talk about the size of arrays. Non-strict code can call strict code, and vice versa. So there's a gentle migration path to all-strict programs, one source file at a time. It's an extension to C, not a new language. Some of the necessary features for this are already in C99 or are GCC extensions, so I'm trying to get this into GCC as an extension so it can be tried in the real world.

It's no longer acceptable to say that this problem can't be solved. It can. It just takes the will to solve it. Prodding from the security community will help.

Strict code is mostly about declarations. For example, the Linux "read" function, which is now declared int read(int fd, void* buf, size_t len); would be declared int read(size_t len; int fd, void_space (buf&)[len], size_t len); Instead of passing a pointer, you pass a reference to an array, a reference with an associated size. So the language knows how big the array is. Incidentally, the first "size_t len;" is a forward declaration of len. That's an existing but rarely used GCC extension. It's needed because so many C, UNIX, Linux, and POSIX APIs have the buffer param before the buffer size.

(For those few of you who know what a C99 variable length array parameter is, you'll wonder why this syntax differs from that. It's a long story. C99 VLA params are demoted to pointers at function entrance, losing the size info. It turns out nobody uses C99 VLA params; repeated searches have failed to find any of them in open source code. Also, Microsoft refused to implement them in Visual C/C++, they're incompatible with C++, and they've been demoted to an optional feature in the latest C standard draft.)

Re:The elephant in the room - C

No, Sir, the elephant is the "W" operating system you mentioned, not C. Other operating systems rely on historically consistent function operation for backwards compatibility. One can use safe variants (strncpy, etc.) of data copying functions if needed. In "W" nothing is safe - better write 90% code of all code as paranoid return-value-checking. If a sufficiently safe function isn't implemented in POSIX, cook your own easily.
You are confusing Visual Basic variant type with c data types, obviously. C does not need references nor variant types. It uses (programmer) sanity-checked pointers for efficiency. If you don't have any idea of the constraints of data you are supposed to process, better turn to a fortune-teller for advice.
It's real easy to overcome overflows in C - some people just don't get it. Must be some kind of Javan insect-transmitted disease.
See, you cannot fix stupid people any better than you can fix stupid programmers. C is efficiently written. The parameter tautology You suggest is in my opinion (to put it kindly) waste of keystrokes and productivity.
Hope You aren't offended by my comments, though, as C is old enough to be a religion.

   

Re:The elephant in the room - C

Quit blaming user incompetence on the tools. The hammer didn't hit you in the face. That was your utterly incompetent swing.

The language is not the problem. Moronic developers are the problem.

er

this was in March....

The hack worked so well, it crashed my computer

I kid you not, I'm watching the embedded video on the web page with Firefox 15.0.1, NoScript (with partial temporary disables on the page), Adblocker, and adjust the volume control on the video.

Wouldn't you know it, my screens go black, the audio continues intermittently, and I couldn't CTRL-ALT-DEL my way out of it. I had to do a hardware reset.

Nice hack!

Swearing at them sometimes works

Some of the voice-driven menu systems I've encountered, will take you to an agent right away if you swear angrily at them. "Fuck You! Fuck You!" works pretty well.

It's funny, I know... I think they know that the automated system can't help a customer who is already enraged at it, and only a human has the chance to keep them from going and venting on the interwebs about it.

Buffer overflow?

[stubob]

Must have been talking to my mother-in-law.

Re:Social engineering--PenTest?

[AK+Marc]

China is confused on the subject. You mean you are supposed to pen test you own stuff, not just the competitors?

Poor Demo

Their demo doesn't show anything useful at all.

This sounds familiar

I just inspected some IVR software and found that one of the exception handlers contained a Java statement System.exit()... it seemed feasible enough to reach this part as well... In general I would say, this kind of software is at the level of junior developers. Probably because it's seen (and paid for) as an afterthought.

unfortunately they have your voice and phone #

[slashmydots]

The subject line basically says it all, lol. Yeah, yeah, yeah payphones and voice maskers...whatever lol. As if someone wouldn't hear you yelling SQL commands into a pay phone, lol.