• About
• Security testing
• IT Governance
• Training
• Projects
• Advisories

IVR Hacking

Author:

Alexandre Bezroutchko, May 2002

Description:

We had a task of testing a voice mail system.  Interactive voice response (IVR) systems such as voice mail are attractive hacking targets because they can contain confidential information such as voice mail messages and can sometimes be used for make free phone calls.

When a user tries to access his voice mail from any other than his own phone he/she needs to enter the PIN code. Our task was to automate PIN-code guessing. We made a system that used a car-kit emulator to connect a GSM mobile phone to the computer sound card and a program to dial the voice mail, enter PIN codes and analyze the voice mail response. The system can be used to automate other kinds of IVR interactions. Using this system it takes on average 8 hours to break into a voice mailbox protected by 4-digit PIN.

Equipment:

To automate the process of a PIN code brute forcing we used the following equipment: A car kit emulator to connect a mobile phone to the PC sound card Software to dial to the IVR try PIN code from a dictionary, analyze an answer of the IVR A Nokia 7110 mobile phone (built-in GSM modem available through IR port) A Dell Latitude C800 laptop (sound card & IR port)

Car kit emulator is a very simple hardware device (cost < 10 euro), made by soldering a few passive components to a standard Nokia cable. It has one connector to the mobile phone, a line-out jack connector (to be connected to the line-in of PC sound card), a line-in jack connector (to be connected to the headphone output of a PC sound card), and a socket for speaker (useful for monitoring purposes). The Nokia cable had RS232 connector, but access to modem via serial port worked somewhat unstable, so IR port was used instead.

The software:

Simplified algorithm of single attempt is:

Dial the IVR (+NN.NNN.NNN.NNNN) Wait for C-TONE Send victim’s phone number + # by DTMF tones Wait for C-TONE Send 1st PIN code + # by DTMF tones Wait for E-TONE Send 2nd PIN code + # by DTMF tones Wait for E-TONE Send 3rd PIN code + # by DTMF tones Wait for E-TONE Hang up Note: C-TONE and E-TONE are signals emitted by the IVR

This sequence is repeated until we run out of PIN codes. If the program did not manage to recognize sounds it waits for 10 seconds (happens in about 1% of the attempts), and marks PIN code being tried as suspicious. The program can be stopped and restarted at any time. After a restart it tries all suspicious codes collected during the previous invocation (so the operator may check what is the reason of failure through external speakers) and continues the attack.

The main program is written in the Perl language. For dialing it uses an internal modem of a mobile phone connected to the PC by IR. To send the DTMF code the program emits special dual signal to the sound card output (which is routed to the mobile phone through the car kit emulator). To analyze an answer, it digitizes the sound coming to the line input of the sound card (rerouted from mobile phone through car kit emulator). To detect presence of expected signals it calculates cross-correlation between incoming sound stream and expected signal run-time. Calculation of cross-correlation requires significant computational resources and was rewritten in C++. All tests were made on computer with a Pentium III 1GHz processor.

Estimates:

The PIN code can consist of 4 to 7 digits and a customer is allowed to enter three invalid PIN codes before the IVR hangs up. So, to guess the 4 digits PIN code (probably the case for most customers) an attacker has to try 10 000 combinations (from 0000, 0001, …, 9998, 9999) that results in 3 334 phone calls in a worst-case scenario.

Let’s calculate the duration of a single call:

5 seconds to dial the voice mail number
2 seconds to enter the phone number
1 second to analyze the answer
1 second to enter the 1st pin code
1 second to analyze the answer
1 second to enter the 2nd pin code
1 second to analyze the answer
1 second to enter the 3rd pin code
1 second to analyze the answer
3 seconds to terminate the call

So it takes about 17 seconds for a single call.  The table below sums up the number of calls an attacker has to place and the time it takes to obtain the PIN code with 50% probability of success:

Number of digits in PIN code	Number of calls	Time (50% probability of success)
		in seconds	in hours	in days	in months
4	3333	28333	7.9
5	33333	283333	78.7	3.3
6	333333	2833333	787.0		1.1
7	3333333	28333333	7870.4		10.9

The estimations we have made were surprisingly low: about 8 hours to break into a mailbox protected by a 4-digits PIN code. To prove this theory, we have built a device automating PIN code brute forcing and successfully guessed the target PIN code in about 7 hours.