Spoken Commands Crash Bank Phone Lines

← Back to Stories (view on slashdot.org)

Spoken Commands Crash Bank Phone Lines

Posted by samzenpus on Monday September 17, 2012 @02:24AM from the initiate-self-destruct-sequence dept.

mask.of.sanity writes "A security researcher has demonstrated a series of attacks that are capable of disabling touch tone and voice activated phone systems, forcing them to disclose sensitive information. The commands can be keyed in using touchtones or even using the human voice. In one test, a phone system run by an unnamed Indian bank had dumped customer PINs. In another, a buffer overflow was triggered against a back-end database. Other attacks can be used to crash phone systems outright."

31 of 178 comments (clear)

Min score:

Reason:

Sort:

Good by Anonymous Coward · 2012-09-17 02:26 · Score: 5, Funny

I hate those automated prompts.
1. Re:Good by justforgetme · 2012-09-17 02:28 · Score: 3, Interesting
  
  Especially if after pressing all possible combinations and you finally get to the part where it says "I'll connect you to a human being" the while system blows up and you have to start over. Which in my experience happens approximately 100% of the time.
  
  --
  -- no sig today
2. Re:Good by SJHillman · 2012-09-17 02:36 · Score: 5, Insightful
  
  I don't mind a lot of the entirely automated systems (although some are horrible), nor do I mind waiting for a human. However, it's the hybrid systems where you go through anywhere from five to twenty layers of prompts only to be connected to a human who then asks you all of the same questions as the automated system that I really hate.
3. Re:Good by JustOK · 2012-09-17 03:00 · Score: 5, Funny
  
  Press SQRT(-1) if this annoys you.
  
  --
  rewriting history since 2109
4. Re:Good by TheCarp · 2012-09-17 03:03 · Score: 5, Insightful
  
  I don't even mind the hybrid systems, in theory.
  What I mind is the last part. I am on with the machine, it collects all the info that a human operator would need, makes sense....helps speed things along, route calls, and keep the actual time of the operator useful, rather than monotonously getting account details....cool.
  In reality though, its exactly as you say.... I spend all that time on with the computer, give it all my info, verify my account...and then... the operator gets on and asks for all that info again....
  So it didn't save him from monotony, it didn't keep his time useful.... all it did was waste my time.... yay.
  
  --
  "I opened my eyes, and everything went dark again"
5. Re:Good by h4rr4r · 2012-09-17 03:10 · Score: 5, Insightful
  
  Wasting your time is good for them, it reduces the number of hangups. Far more importantly It means hold times don't start until after all the prompts have been exhausted. This makes the call center numbers look great.
  Record a stupid metric get a stupid result.
6. Re:Good by SlippyToad · 2012-09-17 03:19 · Score: 5, Interesting
  
  the operator gets on and asks for all that info again....
  I bitched about that once. Turns out, they are killing time while your screen comes up from their glacially-slow system.
  
  --
  One day I feel I'm ahead of the wheel / the next it's rolling over me / I can get back on / I can get back on
7. Re:Good by Lorens · 2012-09-17 04:23 · Score: 3, Interesting
  
  [It's] a human who then asks you all of the same questions as the automated system that I really hate.
  I have a supplier whose automated system asks for contract number and system ID's and the like. Once, my system was totally down and the different numbers I had were refused by the supplier's IVR. I remembered hearing that some IVR systems detect swearing. I quite deliberately swore a few times at the system, and it beeped and asked "Are you currently experiencing a severity-1 production outage, press one". I did and got a human immediately. I'll never again complain about their system . .
8. Re:Good by dkleinsc · 2012-09-17 06:04 · Score: 3, Funny
  
  See, when you type swordfish, it shows to us as *******
  
  --
  I am officially gone from /. Long live http://www.soylentnews.com/
Social engineering by BSAtHome · 2012-09-17 02:30 · Score: 5, Funny

How is the turing test doing for social engineering an automated system?
Maybe the system commited suicide after listening to those humans and just decided it was not woth it anymore.
Would you like to hear other people's PINs? by pr0t0 · 2012-09-17 02:31 · Score: 5, Funny

To hear the PINs of our other customers, please press 1, or say "yes" now.

--
I'm sorry, but your opinion seems to be wrong.
1. Re:Would you like to hear other people's PINs? by frostfreek · 2012-09-17 03:04 · Score: 5, Funny
  
  0000
  0001
  0002
  :
  9999
SQL Injection via voice? by Gotung · 2012-09-17 02:32 · Score: 3, Insightful

"In one test, a phone system run by an unnamed Indian bank had dumped customer PINs" Sounds like a SQL injection attack, via voice. Lol. Little Bobby Tables strikes again.
1. Re:SQL Injection via voice? by Anonymous Coward · 2012-09-17 02:37 · Score: 3, Interesting
  
  My money is on it not being purely by voice, but prepped with online banking. The attacker probably set their name or security question to Bobby Tables, then used the standard voice prompts to have the voice system attempt to say the name/security question/etc, which then ran the queries un-escaped
2. Re:SQL Injection via voice? by Anonymous Coward · 2012-09-17 03:08 · Score: 5, Funny
  
  "Thank you for calling Mega Bank. Please say 'Customer Service' or 'Loan Application'."
  "SELECT password FROM members"
  "It sounds like you're trying to hack our system. Please hold while I access that data."
3. Re:SQL Injection via voice? by Anonymous Coward · 2012-09-17 03:27 · Score: 3, Funny
  
  The article indicates that the attack was done by speaking attack commands.
  Attack commands?
  "DIE AND BURN IN HELL, YOU STUPID FUCKING PIECE OF SHIT VOICEMAIL SYSTEM!"
  "Okay. I will die now."
  *sound of distant explosion*
  "...huh. Cool. I didn't think it'd be that easy."
Video of the talk by Tryfen · 2012-09-17 02:36 · Score: 5, Interesting

You can you watch a video of the talk on YouTube - or read the slides at BlackHat.
Fairly interesting to see how buffer-overflows can occur in the most unlikely places.

--
If a square is really a rhombus, why aren't all triangles purple?
1. Re:Video of the talk by bouldin · 2012-09-17 02:46 · Score: 5, Informative
  
  There's more detail here, including links to papers: http://voipsecurityblog.typepad.com/marks_voip_security_blog/2012/09/dtmf-telephony-denial-of-service-tdos-issues-for-ivrs.html
2. Re:Video of the talk by MobyDisk · 2012-09-17 03:53 · Score: 5, Insightful
  
  I don't dare run Powerpoint files or Word documents I receive from my relatives. Yet here I am downloading one from Black Hat and I feel perfectly safe. The world has gone mad.
One trick by kilodelta · 2012-09-17 02:37 · Score: 3, Funny

If you have the knack for it, whenever you encounter and IVR is to repeatedly scream a phrase at it, something like 'agent'. Good systems recognize the word and put you through to a human post haste. Shit systems, which are the predominant type, have something like a 30 or 60 second timeout before requiring human help.
1. Re:One trick by P-niiice · 2012-09-17 02:57 · Score: 3, Funny
  
  I do this and get more and more pissed everytime I have to yell "Agent" at it. My kids get a huge laugh out of it everytime too.
2. Re:One trick by fuzzyfuzzyfungus · 2012-09-17 03:04 · Score: 4, Interesting
  
  If you have the knack for it, whenever you encounter and IVR is to repeatedly scream a phrase at it, something like 'agent'. Good systems recognize the word and put you through to a human post haste. Shit systems, which are the predominant type, have something like a 30 or 60 second timeout before requiring human help.
  Some systems may actually be responding to the vocal stress cues. In an effort to pretend to care, while minimzing the number of actual humans needed, some designs will prioritize the ones that sound increasingly angry so as to get them dealth with and out of the way. I find that it generally isn't difficult to convincingly emulate boiling rage, and(depending on whether the phone drone knows he is being dumped into a rage call or not) immediately switching to polite-and-businesslike when the human comes on usually works pretty well.
3. Re:One trick by PRMan · 2012-09-17 03:11 · Score: 5, Interesting
  
  Pressing 0 works on a little more than half of systems. Make sure you keep pressing 0 in response to every prompt.
  
  --
  Peter predicted that you would "deliberately forget" creation 2000 years ago...
Re:What? by RaceProUK · 2012-09-17 02:38 · Score: 4, Insightful

buffer overflows
Not everyone on here is a programmer.

--
No colour or religion ever stopped the bullet from a gun
Re:What? by TWX · 2012-09-17 02:44 · Score: 5, Funny

I'm not a programmer and I know what a buffer overflow is...

It's when you use too much polishing compound on your buffer and it squirts out everywhere and ruins the paint on the car, right?

--
Do not look into laser with remaining eye.
Re:Dilbert would be proud by TWX · 2012-09-17 02:47 · Score: 4, Funny

DNWTFV...

I'm sorry, but "shower scene" and "Dilbert" do not belong anywhere near each other.

I had an involuntary mental image that it'd be like the shower scene from Starship Troopers but with the Dilbert characters, and then I threw up a little bit...

--
Do not look into laser with remaining eye.
Re:What? by RaceProUK · 2012-09-17 02:47 · Score: 4, Funny

Meh, why not?
It fulfills the car-analogy requirement for this article at least.

--
No colour or religion ever stopped the bullet from a gun
Re:What? by TWX · 2012-09-17 03:02 · Score: 5, Funny

Ever contemplate how much pizza you really eat, by volume?

Let "a" be the thickness of the crust, and let "z" be the radius.

So, the volume of your slice, depending on how it's cut, is a fraction of pi*z*z*a.

--
Do not look into laser with remaining eye.
seen it done. not new. by gigne · 2012-09-17 04:01 · Score: 5, Interesting

Working in the industry, and having to read low level logs all of the time, I see this frequently.
People will call up, wait for a silence, and after 500ms start pumping down DTMF signals. Often they do this with seemingly random patterns 3-4 times before giving up.
often times they retry promps with longer and longer strings. This is old news.
I am guessing there is a wardialler in ther that is looking for specific systems at the other end. Sort of known phreak attacks.
Weird things like this exist and have existed for a long time. Hardware and software suppliers check for this now. We routinely check for stuff link this in dev and QA.
The submitter is doing nothing new, nothing unknown or even clever. These sorts of phreaks are older than I am. meh.

--
Signature v3.0, now with 42% less memory usage.
Re:What? by MobileTatsu-NJG · 2012-09-17 05:06 · Score: 3, Funny

Press one if you'd like to see those links again.

--

"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
The elephant in the room - C by Animats · 2012-09-17 05:38 · Score: 3, Interesting

The problem remains the C language. C (and C++) is the only remaining major language prone to buffer overflows.
This can be fixed. See "Safe arrays and pointers for C through compatible additions to the language". This is a proposal for a "strict mode" for C which prevents buffer overflows. It's been discussed on Lambda the Ultimate, the C standard newsgroup, and the GCC development list, and with each round of criticisms, the design is tightened up.
This proposal includes a "strict mode", in which the rules are tighter, and ways to talk about the size of arrays. Non-strict code can call strict code, and vice versa. So there's a gentle migration path to all-strict programs, one source file at a time. It's an extension to C, not a new language. Some of the necessary features for this are already in C99 or are GCC extensions, so I'm trying to get this into GCC as an extension so it can be tried in the real world.
It's no longer acceptable to say that this problem can't be solved. It can. It just takes the will to solve it. Prodding from the security community will help.
Strict code is mostly about declarations. For example, the Linux "read" function, which is now declared int read(int fd, void* buf, size_t len); would be declared int read(size_t len; int fd, void_space (buf&)[len], size_t len); Instead of passing a pointer, you pass a reference to an array, a reference with an associated size. So the language knows how big the array is. Incidentally, the first "size_t len;" is a forward declaration of len. That's an existing but rarely used GCC extension. It's needed because so many C, UNIX, Linux, and POSIX APIs have the buffer param before the buffer size.
(For those few of you who know what a C99 variable length array parameter is, you'll wonder why this syntax differs from that. It's a long story. C99 VLA params are demoted to pointers at function entrance, losing the size info. It turns out nobody uses C99 VLA params; repeated searches have failed to find any of them in open source code. Also, Microsoft refused to implement them in Visual C/C++, they're incompatible with C++, and they've been demoted to an optional feature in the latest C standard draft.)