Spoken Commands Crash Bank Phone Lines

mask.of.sanity writes "A security researcher has demonstrated a series of attacks that are capable of disabling touch tone and voice activated phone systems, forcing them to disclose sensitive information. The commands can be keyed in using touchtones or even using the human voice. In one test, a phone system run by an unnamed Indian bank had dumped customer PINs. In another, a buffer overflow was triggered against a back-end database. Other attacks can be used to crash phone systems outright."

Good

[Anonymous Coward]

I hate those automated prompts.

Re:Good

[justforgetme]

Especially if after pressing all possible combinations and you finally get to the part where it says "I'll connect you to a human being" the while system blows up and you have to start over. Which in my experience happens approximately 100% of the time.

Re:Good

[SJHillman]

I don't mind a lot of the entirely automated systems (although some are horrible), nor do I mind waiting for a human. However, it's the hybrid systems where you go through anywhere from five to twenty layers of prompts only to be connected to a human who then asks you all of the same questions as the automated system that I really hate.

Re:Good

[JustOK]

Press SQRT(-1) if this annoys you.

Re:

[L4t3r4lu5]

444?

Spamfilter spamfilter.

Re:

[ericloewe]

Sure it does, it's the 4 on a keypad

Re:Good

[TheCarp]

I don't even mind the hybrid systems, in theory.

What I mind is the last part. I am on with the machine, it collects all the info that a human operator would need, makes sense....helps speed things along, route calls, and keep the actual time of the operator useful, rather than monotonously getting account details....cool.

In reality though, its exactly as you say.... I spend all that time on with the computer, give it all my info, verify my account...and then... the operator gets on and asks for all that info again....

So it didn't save him from monotony, it didn't keep his time useful.... all it did was waste my time.... yay.

Re:Good

[h4rr4r]

Wasting your time is good for them, it reduces the number of hangups. Far more importantly It means hold times don't start until after all the prompts have been exhausted. This makes the call center numbers look great.

Record a stupid metric get a stupid result.

Re:

[AK Marc]

Call backs suck. You end up either holding anyway, just with the phone hung up, or you miss the call when you step in the shower. The call back systems I end up getting don't give a reasonable time for response. Once, I was calling as I was getting ready to leave. I gave them 20 minutes to call me. Nothing. Then I left and came back to a call log that was them calling every 10 minutes for 2 hours (starting 5 minutes after I left the house). Then I sat at home for another 2 hours before they actually

Re:Good

[SlippyToad]

the operator gets on and asks for all that info again....

I bitched about that once. Turns out, they are killing time while your screen comes up from their glacially-slow system.

Re:

[Anonymous Coward]

I don't know about banks, but I've worked in 2 call center jobs: a utility company and a state government agency.
In both places, info entered by the caller was used only to route the call; none of it was passed on to me.

Re:

[fuzzyfuzzyfungus]

Good Morning, Sir, would you mind confirming your slashdot UID for me before I can respond to your post?

Re:

[rbrausse]

my password is swordfish

Re:Good

[dkleinsc]

See, when you type swordfish, it shows to us as *******

Re:

[TheGratefulNet]

close but not quite: that is actually a starfish!

Re:

[Anonymous Coward]

I don't mind a lot of the entirely automated systems (although some are horrible), nor do I mind waiting for a human. However, it's the hybrid systems where you go through anywhere from five to twenty layers of prompts only to be connected to a human who then asks you all of the same questions as the automated system that I really hate.

Say "operator" when you're dealing with an automated system, and it'll generally hook you straight up to a real live homo sapien.

Now you know.

Re:

[sjames]

Swearing often helps too. Some systems take it as a sign you're getting angry and try to head it off.

Re:

[AK Marc]

Not any more. pressing 0 and saying "operator" used to work, but they are so common that the big people just say "that was an invalid option, please choose from one of the following options." These days, repeatedly mashing "1" gets you to a person fastest. They even plan on it, as that was the "old person" version, where they don't ever listen. Ever wonder why the Spanish choice has you pressing 2 or 4 or something? So that if you hit 1 repeatedly, you'll end up at the "regular" operator pool, not the

Re:

[Phreakiture]

Here are the two worst I have encountered:

One was a customer satisfaction survey. For each question, it asked the question, and then followed it with this entire message: "Press 1 for strongly agree; press 2 for agree; press 3 for neither agree nor disagree; press 4 for disagree; press 5 for strongly disagree." Now, I have no problem with this kind of prompt existing, but seriously, after the first question, I get how it works. Oh, I almost forgot: It would not accept any input until it had finished rea

Re:Good

[Lorens]

[It's] a human who then asks you all of the same questions as the automated system that I really hate.

I have a supplier whose automated system asks for contract number and system ID's and the like. Once, my system was totally down and the different numbers I had were refused by the supplier's IVR. I remembered hearing that some IVR systems detect swearing. I quite deliberately swore a few times at the system, and it beeped and asked "Are you currently experiencing a severity-1 production outage, press one". I did and got a human immediately. I'll never again complain about their system . .

Re:

[morgauxo]

Yes, that really sucks. I've been on both sides of that though. When the faceless big corporation that employs you doesn't give you access to that information imagine having to explain it 100 times a day while not putting down the hand that feeds you. I get it that the customer is annoyed but there still isn't anything the person on the phone can do until the customer quits their whining about it and just answers the damn questions already.... yes, again. There could be any number of individuals whose fau

Re:

[AK Marc]

I've been on both sides of that though. When the faceless big corporation that employs you doesn't give you access to that information imagine having to explain it 100 times a day while not putting down the hand that feeds you. I get it that the customer is annoyed but there still isn't anything the person on the phone can do until the customer quits their whining about it and just answers the damn questions already.... yes, again.

There's no reason to answer the questions twice (aside from the evil corporation being too cheap/stupid to set up their expensive IVR correctly, which isn't acceptable to me as a customer).

It's unfortunate for both sides when that information isn't sent on to the individual who actually answers.

If it were that unfortunate for the faceless megacorp, they'd send the information they've already gathered and verified to the person on the phone. Otherwise, it's much much easier for the caller to just route it to a human. There's no benefit to the caller to go through a non-integrated IVR. At worst, there are sligh

Re:

[dywolf]

usually, in the good systems (natch!), you just keep hitting 0, or saying "Representative" or else something that it can't decipher and it'll take you right to an operator, after only about 15 seconds.

Re:

[azadrozny]

Some companies are getting wise to this. Yes, this will take you to a real person, but that person is often nothing more than a switchboard operator. Many times they have routed me back to the same prompt queue I just escaped from.

Re:

[justforgetme]

On lots of the implementations I have seen either the menu loops indefinitely or it just disconnects you. To be honest though this is something I only have noticed in countries in the Mediterranean. So maybe it is somehow related to economic insolvency?

Re:

[DarthBart]

I always like the systems (I'm looking at you Dell!) that send you through the song and dance of entering information, then when the time comes to hit the queue the system says "We're sorry, call volumes are too high at the moment. Please call back later. *CLICK*".

Re:

[morgauxo]

I used to be one of the human beings a person might reach after mashing in those possible combinations. I don't know how awful the system may have been that lead customers to do that. I had no input in making it or access to anyone who did. It may have really sucked but I sure hated those people that got to me by randomly mashing the wrong buttons. They were always so pissed off and difficult when I told them I had to transfer them. What did they expect? Ignore the system that is supposed to be helping

Re:

[justforgetme]

I wasn't talking about randomly mashing the buttons, but just trying to find the menu that does what you want without any success because it doesn't exist. Leading to the aforementioned every possible combination

Re:

[Obfuscant]

They were always so pissed off and difficult when I told them I had to transfer them. What did they expect?

Good customer service from a company that truly cares about their business and doesn't waste their time playing through an endless cycle of "press 1 for this" or "press 2 for that", usually after starting the cycle with the useless "please listen carefully to the options because our menu has changed", when the menu hasn't changed in two years. A company that clearly offers "None of the options fits, press 0 for a person who is trained to assist you" instead of simply repeating the same three or four irrele

Re:

[AK Marc]

Danmed straight. If you don't get a human (or your question answered for truly automated things like account balance and payment info or such) by about 3 menus deep, then you need to ditch the IVR and go back to human call routing. It's just too complicated to expect the general users to get where they are going, or you have 10,000 departments and nobody knows what goes where (I'd estimate about half the IVRs I've had to use had at least one invalid choice).

Re:

[AK Marc]

The "correct" buttons got me to the wrong department. I wanted to make a payoff, not make a regular payment, and the people who accept payments can only tell me my current due, not lock in a payoff amount. So, call back, same IVR, same wrong department. Call back, deliberately press the wrong buttons, get to an "operator" that can route me to the right person. IVR fails, wrong buttons get me what I was looking for.

And it can't count against your stats if they call back if they were in the wrong departm

Re:

[dywolf]

I do too. "Please say or key in your PIN/Account/Social Security/Member Number" ... ya I want to say my very important number out loud...
luckily USAA lets you key in the stuff too. I've come across some that dont, and I frankly refuse to use them.

But when I saw this article, my first thought was, what do I say to trigger a money dump into my account?

Social engineering

[BSAtHome]

How is the turing test doing for social engineering an automated system?

Maybe the system commited suicide after listening to those humans and just decided it was not woth it anymore.

Re:Social engineering--PenTest?

[BoRegardless]

Penetration Testing?

Must not know of such things in India yet. Seriously behind China.

Re:

[AK Marc]

China is confused on the subject. You mean you are supposed to pen test you own stuff, not just the competitors?

What?

[ledow]

You decided to link to explanations of touch-tones and buffer overflows? On Slashdot? Really?

And yet the article basically parrots the summary with no more information.

Re:What?

[RaceProUK]

buffer overflows

Not everyone on here is a programmer.

Re:What?

[TWX]

I'm not a programmer and I know what a buffer overflow is...

It's when you use too much polishing compound on your buffer and it squirts out everywhere and ruins the paint on the car, right?

Re:What?

[RaceProUK]

Meh, why not?

It fulfills the car-analogy requirement for this article at least.

Re:

[JustOK]

But ignores pizza

Re:What?

[TWX]

Ever contemplate how much pizza you really eat, by volume?

Let "a" be the thickness of the crust, and let "z" be the radius.

So, the volume of your slice, depending on how it's cut, is a fraction of pi*z*z*a.

Re:

[L4t3r4lu5]

That's not a pizza, that's a flatbread.

Bazinga!

Re:

[TheGratefulNet]

except that you end up with a black hole when you try to divide by tomato.

Re:

[wonkey_monkey]

You decided to link to explanations of touch-tones and buffer overflows? On Slashdot? Really?

That is how hypertext is supposed to work, y'know. No-one forces you to click a link if you don't want any more information.

Re:

[FireFury03]

You decided to link to explanations of touch-tones and buffer overflows? On Slashdot? Really?

That is how hypertext is supposed to work, y'know. No-one forces you to click a link if you don't want any more information.

After reading the article and finding it had no more information than the summary, I clicked the other links expecting them to be a more in-depth article on the same subject... I was disappointed.

Re:

[MobileTatsu-NJG]

Press one if you'd like to see those links again.

Would you like to hear other people's PINs?

[pr0t0]

To hear the PINs of our other customers, please press 1, or say "yes" now.

Re:Would you like to hear other people's PINs?

[frostfreek]

0000
0001
0002
:
9999

Re:

[kat_skan]

That's amazing! I've got the same combination on my luggage!

Re:

[AK Marc]

The US standardized on 4-digits no more, no less. Much of the rest of the world allows for (some require) 6-digits. I have never gotten money out of a machine that required 6-digits for my American card with 4-digits.

SQL Injection via voice?

[Gotung]

"In one test, a phone system run by an unnamed Indian bank had dumped customer PINs" Sounds like a SQL injection attack, via voice. Lol. Little Bobby Tables strikes again.

Re:

[Anonymous Coward]

My money is on it not being purely by voice, but prepped with online banking. The attacker probably set their name or security question to Bobby Tables, then used the standard voice prompts to have the voice system attempt to say the name/security question/etc, which then ran the queries un-escaped

Re:

[LordLimecat]

The article indicates that the attack was done by speaking attack commands.

Re:

[Anonymous Coward]

The article indicates that the attack was done by speaking attack commands.

Attack commands?

"DIE AND BURN IN HELL, YOU STUPID FUCKING PIECE OF SHIT VOICEMAIL SYSTEM!"
"Okay. I will die now."
*sound of distant explosion*
"...huh. Cool. I didn't think it'd be that easy."

Re:

[omnichad]

"Shall we play a game?"

Re:

[SlippyToad]

Computer: Sic balls!

Re:

[Obfuscant]

The article indicates that the attack was done by speaking attack commands.

Sit!

Stay!

Good dog, Ubu!

Re:SQL Injection via voice?

[Anonymous Coward]

"Thank you for calling Mega Bank. Please say 'Customer Service' or 'Loan Application'."

"SELECT password FROM members"

"It sounds like you're trying to hack our system. Please hold while I access that data."

Re:

[Gotung]

The summary clearly states the the buffer overflow attack was a different attack from the one that dumped the PIN #'s.

Re:

[AK Marc]

A buffer overflow is an input so large that it overflows the available space for the input, and the remainder of the input overwrites something else, usually resulting in a crash, but sometimes can be crafted to allow arbitrary remote code execution. SQL injection is a form of arbitrary/remote code execution where the input (or portion thereof) is treated as a command. They can both be forms of arbitrary code execution, and thus, for a general release article are equal.

Oblig

[gmuslera]

Wonder of something like this [xkcd.com] happened.

Video of the talk

[Tryfen]

You can you watch a video of the talk on YouTube [youtube.com] - or read the slides at BlackHat [blackhat.com].

Fairly interesting to see how buffer-overflows can occur in the most unlikely places.

Re:Video of the talk

[bouldin]

There's more detail here, including links to papers: http://voipsecurityblog.typepad.com/marks_voip_security_blog/2012/09/dtmf-telephony-denial-of-service-tdos-issues-for-ivrs.html [typepad.com]

Re:

[jittles]

I'm sorry, I know this guy probably isn't a native English speaker, but he is a horrible presenter. One of the worse I have ever seen. It doesn't seem like he practiced or anything, and you can tell he is terribly uncomfortable. The presentation is also very long, and not very interesting most of the time.

Re:

[cffrost]

[H]e is a horrible presenter. One of the worse I have ever seen. It doesn't seem like he practiced or anything, and you can tell he is terribly uncomfortable.

I didn't watch this presentation, but your post reminded me of Elon Musk's appearance on The Daily Show. [thepiratebay.se] Blushing, glistening in sweat, strange answers, etc. It seemed like he'd never spoken in public before, and I was half-expecting him to flee the interview at any moment.

Re:

[jittles]

He wasn't sweating, and didn't look like he would flea in terror but he had DTMF tones blaring loudly from his powerpoints, had long pauses where he had to figure out what he wanted to say, and was constantly saying "Umm umm umm." This is why most universities require you to take public speaking classes, and things of that nature. At my last company I would go to a tradeshow every year and give 2 presentations a day for a week. I also gave demos to government officials (Including a 1-star [Brig. General]

Re:

[TheGratefulNet]

but you'll see the strangers only once; and you'll have to see your co-workers again and again. how is this better?

Re:

[jittles]

but you'll see the strangers only once; and you'll have to see your co-workers again and again. how is this better?

That's exactly my point. If are a good employee then your coworkers will value you despite your embarrassing attempt to present to them. You only get one attempt at showing those strangers that your product (whether it is you as an employee, or your company's product) is worth the money. If you mess that up, the game is over. But if you've had a great career and you get a little bit of stage fright in front of your coworkers, they will (in my experience) genuinely offer constructive criticism and help y

Re:

[AK Marc]

I'd go with:

It's like no one every proof read, the abstract.

Re:Video of the talk

[MobyDisk]

I don't dare run Powerpoint files or Word documents I receive from my relatives. Yet here I am downloading one from Black Hat and I feel perfectly safe. The world has gone mad.

Re:

[RaceProUK]

That's compression for you!

Re:

[NatasRevol]

I need to do more sit ups.

Re:

[AK Marc]

I guess I never got into the good stuff. All the work I did with IVR was ACR-only. The "integration" was to play inputs back into a sandboxed program that sent the numbers to the customer service rep that answered the phone (no integration with the other systems, other than cut and paste). It wasn't sandboxed for security, but cost reasons. I can see how an input could theoretically exceed the input length and cause an overflow, but, every ACR I've ever dealt with let you set a max (set to 20 or so by d

One trick

[kilodelta]

If you have the knack for it, whenever you encounter and IVR is to repeatedly scream a phrase at it, something like 'agent'. Good systems recognize the word and put you through to a human post haste. Shit systems, which are the predominant type, have something like a 30 or 60 second timeout before requiring human help.

Re:One trick

[P-niiice]

I do this and get more and more pissed everytime I have to yell "Agent" at it. My kids get a huge laugh out of it everytime too.

Re:

[MachDelta]

Have you tried "I'm going to stab you in the EEPROM" ?
It worked for Frontalot...
kinda....

Re:One trick

[fuzzyfuzzyfungus]

If you have the knack for it, whenever you encounter and IVR is to repeatedly scream a phrase at it, something like 'agent'. Good systems recognize the word and put you through to a human post haste. Shit systems, which are the predominant type, have something like a 30 or 60 second timeout before requiring human help.

Some systems may actually be responding to the vocal stress cues. In an effort to pretend to care, while minimzing the number of actual humans needed, some designs will prioritize the ones that sound increasingly angry so as to get them dealth with and out of the way. I find that it generally isn't difficult to convincingly emulate boiling rage, and(depending on whether the phone drone knows he is being dumped into a rage call or not) immediately switching to polite-and-businesslike when the human comes on usually works pretty well.

Re:

[Obfuscant]

some designs will prioritize the ones that sound increasingly angry so as to get them dealth with and out of the way.

I can't figure out whether you put an extra 'h' on 'dealt', or an extraneous 'l' in 'death', but I guess either way they are "out of the way".

Re:One trick

[PRMan]

Pressing 0 works on a little more than half of systems. Make sure you keep pressing 0 in response to every prompt.

Re:

[omnichad]

Sometimes rapidly pressing 0 instead of pressing it for each prompt gets you in faster.

Dilbert would be proud

[murcon]

Heh. For some reason this reminds me of the "shower scene" from the very first episode of Dilbert (the animated series), where Dogbert is attempting to hack Dilbert's voice-activated shower temperature control.

http://www.youtube.com/watch?v=7MqhBL9eEts [youtube.com]

Re:Dilbert would be proud

[TWX]

DNWTFV...

I'm sorry, but "shower scene" and "Dilbert" do not belong anywhere near each other.

I had an involuntary mental image that it'd be like the shower scene from Starship Troopers but with the Dilbert characters, and then I threw up a little bit...

Cap'n Crunch

[rueger]

Wow - surely you could find a way to work in a Cap'n Crunch whistle? [jetcityorange.com]

Who cares? Phone service serves no purpose

[gelfling]

Seriously, phone support? That's a waste of all time and effort. So is online chat support, email and talking to anyone in person if they even exist.

Re:

[NatasRevol]

Everyone should have direct access to the databases!

Secret phrase

[PPH]

"All your PINs are belong to us!"

Windows!

[mccabem]

If humanity has any luck left this will spell the end of shitty automated phone systems (which is about 99.9% of them). With Windows as my bell weather, I'll not be holding my breath.

Really, Slashdot?

[korgitser]

Nobody reckognizes TFA as being about phreaking? You know, this kind of stuff dates back ages. Kevin Mitnick even had the superpower to whistle nuclear missiles into flight... True Story(TM).

seen it done. not new.

[gigne]

Working in the industry, and having to read low level logs all of the time, I see this frequently.
People will call up, wait for a silence, and after 500ms start pumping down DTMF signals. Often they do this with seemingly random patterns 3-4 times before giving up.
often times they retry promps with longer and longer strings. This is old news.

I am guessing there is a wardialler in ther that is looking for specific systems at the other end. Sort of known phreak attacks.

Weird things like this exist and have existed for a long time. Hardware and software suppliers check for this now. We routinely check for stuff link this in dev and QA.

The submitter is doing nothing new, nothing unknown or even clever. These sorts of phreaks are older than I am. meh.

Re:

[oodaloop]

Right. First thing I though of was the whistle from Capn Crunch.

Re:

[cffrost]

In the mid-1990s there was a DOS program called Code Thief, which would dial an 800* number, enter a telephone number known to be answered by modem (e.g., multi-line BBS), enter an authorization code (4-6 digits, IIRC), then keep a log of which codes resulted in successful connection.

* I don't know what these 800 numbers were exactly, but I was told they were intended to allow corporate business travelers to make LD calls from payphones/hotel phones at their employer's expense. The 800 numbers themselves we

Re:

[wmbetts]

One of my favorites was Toneloc.

Re:

[gigne]

sometimes it is almost certainy this... the ones that clearly are not are the ones waiting for prompts.

example exchange

[goffster]

are em minus f slash root
Permission Denied
sudo are em minus f slash root
no home directory

Try this...

[ctrl-alt-canc]

At the voice prompt, yell "Format c" followed by "yes!".

The elephant in the room - C

[Animats]

The problem remains the C language. C (and C++) is the only remaining major language prone to buffer overflows.

This can be fixed. See "Safe arrays and pointers for C through compatible additions to the language" [animats.com]. This is a proposal for a "strict mode" for C which prevents buffer overflows. It's been discussed on Lambda the Ultimate, the C standard newsgroup, and the GCC development list, and with each round of criticisms, the design is tightened up.

This proposal includes a "strict mode", in which the rules are tighter, and ways to talk about the size of arrays. Non-strict code can call strict code, and vice versa. So there's a gentle migration path to all-strict programs, one source file at a time. It's an extension to C, not a new language. Some of the necessary features for this are already in C99 or are GCC extensions, so I'm trying to get this into GCC as an extension so it can be tried in the real world.

It's no longer acceptable to say that this problem can't be solved. It can. It just takes the will to solve it. Prodding from the security community will help.

Strict code is mostly about declarations. For example, the Linux "read" function, which is now declared int read(int fd, void* buf, size_t len); would be declared int read(size_t len; int fd, void_space (buf&)[len], size_t len); Instead of passing a pointer, you pass a reference to an array, a reference with an associated size. So the language knows how big the array is. Incidentally, the first "size_t len;" is a forward declaration of len. That's an existing but rarely used GCC extension. It's needed because so many C, UNIX, Linux, and POSIX APIs have the buffer param before the buffer size.

(For those few of you who know what a C99 variable length array parameter is, you'll wonder why this syntax differs from that. It's a long story. C99 VLA params are demoted to pointers at function entrance, losing the size info. It turns out nobody uses C99 VLA params; repeated searches have failed to find any of them in open source code. Also, Microsoft refused to implement them in Visual C/C++, they're incompatible with C++, and they've been demoted to an optional feature in the latest C standard draft.)

Re:

[ElmoGonzo]

Long Live Captain Crunch!

Use a Sponge Bob Happy Meal toy

[srussia]

To bad i'm very much tone deaf

Get all the details in next quarter's 2600!

Re:

[omnichad]

Right, because it's only real if they record video evidence of them committing a felony and not using a test system set up to emulate the real-world environment.

Re:

[AK Marc]

I was going to say that the systems couldn't even know the pins, as that's insecure. But I recently had to call my building security. They asked me my PIN. "1234" No, but you got the first number right. "Oh, then 1111" yes. So the security guy was reading off my pin on the screen. Kinda makes the point of a PIN useless if anyone in security knows it.