A lot of time, effort and money is spent protecting and defending computer networks from intruders and criminals, but what about protecting phone networks?
According to one security researcher, interactive voice response systems (IVRs) — the ones we use to check and store our voicemail and the ones we interact with when we call the bank — are so insecure that they could be tricked into spitting out sensitive information or taken down completely with just a single phone call.
"No banks or organizations are testing IVRs because they think the systems are secure, but in reality, they are not. No firewall or CAPTCHAs monitor voice traffic," said Rahul Sasi, who works for security company iSight Partners.
Sasi explained that when a system's audio processing algorithms are fed strange DTMF (dual-tone multi-frequency) signals, it can cause the entire system to behave strangely or crash entirely.
In a paper titled " How I DOS'ed My Bank," Sasi said an attack like this, known as fuzzing, could cause an "entire phone banking to become inaccessible, or no calls from the customer goes through," resulting in "a lot of panic" and a "huge" amount of damage.
The paper asserts that with some fine-tuning, fuzzing could be a viable means of lifting secrets.
"We would be able to extract sensitive information about the application’s hosted environment with these sorts of bugs," Sasi wrote. "Since applications that use DTMF algorithms are mainly phone-based, it was possible to extract output in the form of audio data."
If Sasi is correct, a seemingly nonsensical sequence of tones could cause an IVR to play voice messages, read back account statements, and divulge medical results or other private information to parties who have no business hearing it. In one demonstration, Sasi tricked the IVR of an Indian bank into giving up customers' PINs.
Phone hacking is nothing new. Phreaking, as it's known among telecommunications enthusiasts and tinkerers, can be traced back to the 1950s when people began finding ways to manipulate the then-new touch-tone system.
One of the earliest forms of phreaking involved mimicking, either by whistling or by using a toy flute, an internal AT&T tone (2600 hertz, fourth E above middle C) to trick the system into thinking a call was over. The line would remain open and could be used to make free long-distance calls.