Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spoken Commands Crash Bank Phone Lines

Posted by samzenpus on from the initiate-self-destruct-sequence dept.

mask.of.sanity writes "A security researcher has demonstrated a series of attacks that are capable of disabling touch tone and voice activated phone systems, forcing them to disclose sensitive information. The commands can be keyed in using touchtones or even using the human voice. In one test, a phone system run by an unnamed Indian bank had dumped customer PINs. In another, a buffer overflow was triggered against a back-end database. Other attacks can be used to crash phone systems outright."

47 of 178 comments (clear)

  1. Good by Anonymous Coward · · Score: 5, Funny

    I hate those automated prompts.

    1. Re:Good by justforgetme · · Score: 3, Interesting

      Especially if after pressing all possible combinations and you finally get to the part where it says "I'll connect you to a human being" the while system blows up and you have to start over. Which in my experience happens approximately 100% of the time.

      --
      -- no sig today
    2. Re:Good by SJHillman · · Score: 5, Insightful

      I don't mind a lot of the entirely automated systems (although some are horrible), nor do I mind waiting for a human. However, it's the hybrid systems where you go through anywhere from five to twenty layers of prompts only to be connected to a human who then asks you all of the same questions as the automated system that I really hate.

    3. Re:Good by JustOK · · Score: 5, Funny

      Press SQRT(-1) if this annoys you.

      --
      rewriting history since 2109
    4. Re:Good by TheCarp · · Score: 5, Insightful

      I don't even mind the hybrid systems, in theory.

      What I mind is the last part. I am on with the machine, it collects all the info that a human operator would need, makes sense....helps speed things along, route calls, and keep the actual time of the operator useful, rather than monotonously getting account details....cool.

      In reality though, its exactly as you say.... I spend all that time on with the computer, give it all my info, verify my account...and then... the operator gets on and asks for all that info again....

      So it didn't save him from monotony, it didn't keep his time useful.... all it did was waste my time.... yay.

      --
      "I opened my eyes, and everything went dark again"
    5. Re:Good by fuzzyfuzzyfungus · · Score: 2

      Good Morning, Sir, would you mind confirming your slashdot UID for me before I can respond to your post?

    6. Re:Good by L4t3r4lu5 · · Score: 2

      444?

      Spamfilter spamfilter.

      --
      Finally had enough. Come see us over at https://soylentnews.org/
    7. Re:Good by Anonymous Coward · · Score: 2, Informative

      I don't mind a lot of the entirely automated systems (although some are horrible), nor do I mind waiting for a human. However, it's the hybrid systems where you go through anywhere from five to twenty layers of prompts only to be connected to a human who then asks you all of the same questions as the automated system that I really hate.

      Say "operator" when you're dealing with an automated system, and it'll generally hook you straight up to a real live homo sapien.

      Now you know.

    8. Re:Good by h4rr4r · · Score: 5, Insightful

      Wasting your time is good for them, it reduces the number of hangups. Far more importantly It means hold times don't start until after all the prompts have been exhausted. This makes the call center numbers look great.

      Record a stupid metric get a stupid result.

    9. Re:Good by SlippyToad · · Score: 5, Interesting

      the operator gets on and asks for all that info again....

      I bitched about that once. Turns out, they are killing time while your screen comes up from their glacially-slow system.

      --
      One day I feel I'm ahead of the wheel / the next it's rolling over me / I can get back on / I can get back on
    10. Re:Good by Lorens · · Score: 3, Interesting

      [It's] a human who then asks you all of the same questions as the automated system that I really hate.

      I have a supplier whose automated system asks for contract number and system ID's and the like. Once, my system was totally down and the different numbers I had were refused by the supplier's IVR. I remembered hearing that some IVR systems detect swearing. I quite deliberately swore a few times at the system, and it beeped and asked "Are you currently experiencing a severity-1 production outage, press one". I did and got a human immediately. I'll never again complain about their system . .

    11. Re:Good by Anonymous Coward · · Score: 2, Informative

      I don't know about banks, but I've worked in 2 call center jobs: a utility company and a state government agency.
      In both places, info entered by the caller was used only to route the call; none of it was passed on to me.

    12. Re:Good by dkleinsc · · Score: 3, Funny

      See, when you type swordfish, it shows to us as *******

      --
      I am officially gone from /. Long live http://www.soylentnews.com/
  2. Social engineering by BSAtHome · · Score: 5, Funny

    How is the turing test doing for social engineering an automated system?

    Maybe the system commited suicide after listening to those humans and just decided it was not woth it anymore.

  3. What? by ledow · · Score: 2

    You decided to link to explanations of touch-tones and buffer overflows? On Slashdot? Really?

    And yet the article basically parrots the summary with no more information.

    1. Re:What? by RaceProUK · · Score: 4, Insightful

      buffer overflows

      Not everyone on here is a programmer.

      --
      No colour or religion ever stopped the bullet from a gun
    2. Re:What? by TWX · · Score: 5, Funny

      I'm not a programmer and I know what a buffer overflow is...

      It's when you use too much polishing compound on your buffer and it squirts out everywhere and ruins the paint on the car, right?

      --
      Do not look into laser with remaining eye.
    3. Re:What? by RaceProUK · · Score: 4, Funny

      Meh, why not?

      It fulfills the car-analogy requirement for this article at least.

      --
      No colour or religion ever stopped the bullet from a gun
    4. Re:What? by TWX · · Score: 5, Funny

      Ever contemplate how much pizza you really eat, by volume?

      Let "a" be the thickness of the crust, and let "z" be the radius.

      So, the volume of your slice, depending on how it's cut, is a fraction of pi*z*z*a.

      --
      Do not look into laser with remaining eye.
    5. Re:What? by L4t3r4lu5 · · Score: 2

      That's not a pizza, that's a flatbread.

      Bazinga!

      --
      Finally had enough. Come see us over at https://soylentnews.org/
    6. Re:What? by FireFury03 · · Score: 2

      You decided to link to explanations of touch-tones and buffer overflows? On Slashdot? Really?

      That is how hypertext is supposed to work, y'know. No-one forces you to click a link if you don't want any more information.

      After reading the article and finding it had no more information than the summary, I clicked the other links expecting them to be a more in-depth article on the same subject... I was disappointed.

      --
      http://blog.nexusuk.org
    7. Re:What? by MobileTatsu-NJG · · Score: 3, Funny

      Press one if you'd like to see those links again.

      --

      "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

    8. Re:What? by TheGratefulNet · · Score: 2

      except that you end up with a black hole when you try to divide by tomato.

      --

      --
      "It is now safe to switch off your computer."
  4. Would you like to hear other people's PINs? by pr0t0 · · Score: 5, Funny

    To hear the PINs of our other customers, please press 1, or say "yes" now.

    --
    I'm sorry, but your opinion seems to be wrong.
    1. Re:Would you like to hear other people's PINs? by frostfreek · · Score: 5, Funny

      0000
      0001
      0002
      :
      9999

  5. SQL Injection via voice? by Gotung · · Score: 3, Insightful

    "In one test, a phone system run by an unnamed Indian bank had dumped customer PINs" Sounds like a SQL injection attack, via voice. Lol. Little Bobby Tables strikes again.

    1. Re:SQL Injection via voice? by Anonymous Coward · · Score: 3, Interesting

      My money is on it not being purely by voice, but prepped with online banking. The attacker probably set their name or security question to Bobby Tables, then used the standard voice prompts to have the voice system attempt to say the name/security question/etc, which then ran the queries un-escaped

    2. Re:SQL Injection via voice? by Anonymous Coward · · Score: 5, Funny

      "Thank you for calling Mega Bank. Please say 'Customer Service' or 'Loan Application'."

      "SELECT password FROM members"

      "It sounds like you're trying to hack our system. Please hold while I access that data."

    3. Re:SQL Injection via voice? by Anonymous Coward · · Score: 3, Funny

      The article indicates that the attack was done by speaking attack commands.

      Attack commands?

      "DIE AND BURN IN HELL, YOU STUPID FUCKING PIECE OF SHIT VOICEMAIL SYSTEM!"
      "Okay. I will die now."
      *sound of distant explosion*
      "...huh. Cool. I didn't think it'd be that easy."

  6. Oblig by gmuslera · · Score: 2, Funny

    Wonder of something like this happened.

  7. Video of the talk by Tryfen · · Score: 5, Interesting

    You can you watch a video of the talk on YouTube - or read the slides at BlackHat.

    Fairly interesting to see how buffer-overflows can occur in the most unlikely places.

    --
    If a square is really a rhombus, why aren't all triangles purple?
    1. Re:Video of the talk by bouldin · · Score: 5, Informative

      There's more detail here, including links to papers: http://voipsecurityblog.typepad.com/marks_voip_security_blog/2012/09/dtmf-telephony-denial-of-service-tdos-issues-for-ivrs.html

    2. Re:Video of the talk by RaceProUK · · Score: 2

      That's compression for you!

      --
      No colour or religion ever stopped the bullet from a gun
    3. Re:Video of the talk by jittles · · Score: 2

      I'm sorry, I know this guy probably isn't a native English speaker, but he is a horrible presenter. One of the worse I have ever seen. It doesn't seem like he practiced or anything, and you can tell he is terribly uncomfortable. The presentation is also very long, and not very interesting most of the time.

    4. Re:Video of the talk by MobyDisk · · Score: 5, Insightful

      I don't dare run Powerpoint files or Word documents I receive from my relatives. Yet here I am downloading one from Black Hat and I feel perfectly safe. The world has gone mad.

  8. One trick by kilodelta · · Score: 3, Funny

    If you have the knack for it, whenever you encounter and IVR is to repeatedly scream a phrase at it, something like 'agent'. Good systems recognize the word and put you through to a human post haste. Shit systems, which are the predominant type, have something like a 30 or 60 second timeout before requiring human help.

    1. Re:One trick by P-niiice · · Score: 3, Funny

      I do this and get more and more pissed everytime I have to yell "Agent" at it. My kids get a huge laugh out of it everytime too.

    2. Re:One trick by fuzzyfuzzyfungus · · Score: 4, Interesting

      If you have the knack for it, whenever you encounter and IVR is to repeatedly scream a phrase at it, something like 'agent'. Good systems recognize the word and put you through to a human post haste. Shit systems, which are the predominant type, have something like a 30 or 60 second timeout before requiring human help.

      Some systems may actually be responding to the vocal stress cues. In an effort to pretend to care, while minimzing the number of actual humans needed, some designs will prioritize the ones that sound increasingly angry so as to get them dealth with and out of the way. I find that it generally isn't difficult to convincingly emulate boiling rage, and(depending on whether the phone drone knows he is being dumped into a rage call or not) immediately switching to polite-and-businesslike when the human comes on usually works pretty well.

    3. Re:One trick by PRMan · · Score: 5, Interesting

      Pressing 0 works on a little more than half of systems. Make sure you keep pressing 0 in response to every prompt.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
  9. Re:brings a tear to my eye by ElmoGonzo · · Score: 2

    Long Live Captain Crunch!

  10. Dilbert would be proud by murcon · · Score: 2

    Heh. For some reason this reminds me of the "shower scene" from the very first episode of Dilbert (the animated series), where Dogbert is attempting to hack Dilbert's voice-activated shower temperature control.

    http://www.youtube.com/watch?v=7MqhBL9eEts

    1. Re:Dilbert would be proud by TWX · · Score: 4, Funny

      DNWTFV...

      I'm sorry, but "shower scene" and "Dilbert" do not belong anywhere near each other.

      I had an involuntary mental image that it'd be like the shower scene from Starship Troopers but with the Dilbert characters, and then I threw up a little bit...

      --
      Do not look into laser with remaining eye.
  11. Use a Sponge Bob Happy Meal toy by srussia · · Score: 2

    To bad i'm very much tone deaf

    Get all the details in next quarter's 2600!

    --
    Set your phasers on "funky"!
  12. Secret phrase by PPH · · Score: 2

    "All your PINs are belong to us!"

    --
    Have gnu, will travel.
  13. seen it done. not new. by gigne · · Score: 5, Interesting

    Working in the industry, and having to read low level logs all of the time, I see this frequently.
    People will call up, wait for a silence, and after 500ms start pumping down DTMF signals. Often they do this with seemingly random patterns 3-4 times before giving up.
    often times they retry promps with longer and longer strings. This is old news.

    I am guessing there is a wardialler in ther that is looking for specific systems at the other end. Sort of known phreak attacks.

    Weird things like this exist and have existed for a long time. Hardware and software suppliers check for this now. We routinely check for stuff link this in dev and QA.

    The submitter is doing nothing new, nothing unknown or even clever. These sorts of phreaks are older than I am. meh.

    --
    Signature v3.0, now with 42% less memory usage.
    1. Re:seen it done. not new. by cffrost · · Score: 2

      In the mid-1990s there was a DOS program called Code Thief, which would dial an 800* number, enter a telephone number known to be answered by modem (e.g., multi-line BBS), enter an authorization code (4-6 digits, IIRC), then keep a log of which codes resulted in successful connection.

      * I don't know what these 800 numbers were exactly, but I was told they were intended to allow corporate business travelers to make LD calls from payphones/hotel phones at their employer's expense. The 800 numbers themselves were distributed via HPAVC BBSs and VMBs.

      --
      Thank you, Edward Snowden.

      "Arguments from authority are worthless." —Carl Sagan
  14. The elephant in the room - C by Animats · · Score: 3, Interesting

    The problem remains the C language. C (and C++) is the only remaining major language prone to buffer overflows.

    This can be fixed. See "Safe arrays and pointers for C through compatible additions to the language". This is a proposal for a "strict mode" for C which prevents buffer overflows. It's been discussed on Lambda the Ultimate, the C standard newsgroup, and the GCC development list, and with each round of criticisms, the design is tightened up.

    This proposal includes a "strict mode", in which the rules are tighter, and ways to talk about the size of arrays. Non-strict code can call strict code, and vice versa. So there's a gentle migration path to all-strict programs, one source file at a time. It's an extension to C, not a new language. Some of the necessary features for this are already in C99 or are GCC extensions, so I'm trying to get this into GCC as an extension so it can be tried in the real world.

    It's no longer acceptable to say that this problem can't be solved. It can. It just takes the will to solve it. Prodding from the security community will help.

    Strict code is mostly about declarations. For example, the Linux "read" function, which is now declared int read(int fd, void* buf, size_t len); would be declared int read(size_t len; int fd, void_space (buf&)[len], size_t len); Instead of passing a pointer, you pass a reference to an array, a reference with an associated size. So the language knows how big the array is. Incidentally, the first "size_t len;" is a forward declaration of len. That's an existing but rarely used GCC extension. It's needed because so many C, UNIX, Linux, and POSIX APIs have the buffer param before the buffer size.

    (For those few of you who know what a C99 variable length array parameter is, you'll wonder why this syntax differs from that. It's a long story. C99 VLA params are demoted to pointers at function entrance, losing the size info. It turns out nobody uses C99 VLA params; repeated searches have failed to find any of them in open source code. Also, Microsoft refused to implement them in Visual C/C++, they're incompatible with C++, and they've been demoted to an optional feature in the latest C standard draft.)