A year ago, I got an opportunity to work on a project on IVR pentesting which involved the security assessment of a major financial IVR system. It’s not something many people have heard of or worked upon. It’s a very less explored field but could lead to interesting results. Rahul sasi has done some great research on IVR security and it’s available online. There are only a few known attack vectors which you can use during an IVR pentest but a major problem in IVR pentesting is that it’s frustrating and requires a lot of time just listening to the voice response and again repeating the same process many times.
The call might get disconnected if you put some invalid DTMF value and you would have to make a call again and enter all those DTMF values manually to reach to that stage where you can enter a different payload. So, I thought of automating it because I couldn’t find any tool on the internet which can do this.
Objective
To develop a generic tool which can automate the IVR call flow and also automate the process of sending attack vectors through a interactive program so that it can save a pentester’s time.
What is IVR?
Interactive voice response (IVR) is a technology that allows a computer to interact with humans through the use of voice and DTMF tones input via keypad. In telecommunications, IVR allows customers to interact with a company’s host system via a telephone keypad or by speech recognition, after which services can be inquired about through the IVR dialogue. IVR systems can respond with prerecorded or dynamically generated audio to further direct users on how to proceed.
Where it is used?
- Phone Banking
- Payment gateways
- Call canter
- Value added service
- Hospital or Medical Enquiry
- Complaint management
- Railway enquiry
- Flight booking
- and more . . .
How IVR works?
Here is an interesting video about how ivr works by Rahul Sasi.
Why it’s security is important?
Often, these systems process confidential data such as credit card numbers, social security numbers, user PIN information, and other personally identifiable information. IVR assessment helps organizations to secure their IVR systems and identify security holes before attackers can gain access. Most of the time, IVR systems are conveniently left out of regular security testing and internal audits thus making it an easy target for attackers.
IVR System architecture
The below image shows the basic architecture of an IVR system. The image itself is self explanatory.
IVR System architecture
Known attack vectors in IVR
- Fingerprinting Internal servers
- Input validation attacks
- Bruteforce attack
- Buffer overflow
- SQL Injection via DTMF
In this blogpost, I will not explain with as how you can go ahead with each of the above attack vectors and exploit them. Rahul sasi has done a great job on this and has released his research on IVR security at blackhat 2012 which you can find at the link below. He has explained in detail as how you can exploit these vulnerabilities.
https://media.blackhat.com/bh-eu-12/Sasi/bh-eu-12-Sasi-IVR_Security-Slides.pdf
Why a tool is needed?
When I started with IVR pentesting, I realised that it is very frustrating and time consuming to repeat the entire process of making a call and reaching to the point where we can enter a different payload.
sample IVR application flow diagram
Scenario – 1
Let’s assume that the above figure is a flow diagram of a phone banking application which we need to pentest. Let’s say that at Menu 3, the Phone banking IVR asks for PIN number which we need to input. This is one of the interesting place where we can send our payload to check if the application is vulnerable or not. Now after giving it an invalid DTMF value, the call might get disconnected and you would have to call the IVR again and reach to this point where you would again send a different payload. This takes too much of our precious time and requires a lot of patience.
scenario – 2
At Menu 3, the Phone banking IVR asks for PIN number which we need to input. Let’s assume this is vulnerable to a bruteforce attack. Now, we need to manually input the bruteforce payload every single time and this can take hours or days. With the help of a tool, this entire process can be automated where you can provide a list to the program which it will send one by one automatically .
How to Automate this?
- Serial Port Communication over a USB
- Talk to your phone modem using AT commands.
Some basic AT commands
- AT – tells modem status
- AT+VTS=1 – send DTMF tone
- AT+CLCC – Interrogate active calls status
- ATH – Hangup a call
- ATD – place a call
- AT+COPS=? – get list of available operators
- AT+COPS=0,0 – find a network and register on it
How our tool works?
For our tool, we have used a Samsung galaxy tab from which it is making a serial communication to the PC over USB. We are talking to the Phone’s modem here with the help of the tool. The tool is interacting with the modem with the help of AT commands being sent from the computer to the phone’s modem.
IVR security assessment tool running
This tool is just a prototype of the final tool. This tool’s main objective is to reduce the time required during an IVR security assessment. This isn’t a full-fledged tool that we planned for but it’s built enough where anybody can extend it further.
IVR Security assessment tool
For now we have only two major functionalities.
- Record a call flow
- Replay a call flow
For the first time, the user needs to record the call flow by manually sending the DTMF tones using the tool. Then, the tool can automatically dial that number and reach to that point by automatically sending the pre-recorded DTMF values. Now the user can easily send different payloads at that point from the tool.
Calling a number
Enter DTMF values
Saved call flows
Replaying a saved call flow
The tool is automatically sending pre-recorded DTMF values after recorded time interval
We have open sourced the code for this tool on our github account. You can view or download it here.
https://github.com/payatu/ivr-pentest
Features to be added in the future version of this tool
- Custom Bruteforce attack at any defined point.
- SQL Injection payloads
- Buffer overflow payloads
- Input validation payloads
Note
This is not the full fledged tool that we intended for. The full fledged tool will have all the features listed above and probably would be implemented on a SIM 900 module. I coded this a year back but could not release it because I realised that for a full fledged tool, it’s better to make a GUI or Web version of this tool rather than a command line one. With the command line tool, we cannot have a good control when it comes to combining different attack vectors. We will probably make a full version of this tool with an easy to use graphical interface. Meanwhile, the code could prove helpful for a pentester to reduce the time needed for IVR pentest and it could also prove helpful to those who want to automate the IVR interaction process.
References
http://www.sandywalsh.com/2011/02/15-problems-with-old-school-technical.html
https://media.blackhat.com/bh-eu-12/Sasi/bh-eu-12-Sasi-IVR_Security-Slides.pdf
