Abusing Interactive Voice Response systems – Legacy Telecom [CVE-2018-11518]

Pierluigi Paganini May 29, 2018

A vulnerability tracked as CVE-2018-11518 could be exploited by attackers to power a phreaking attack on HCL legacy Interactive Voice Response systems that do not use VoIP.

These IVR systems rely on various frequencies of audio signals; based on the frequency, certain commands and functions are processed. Since these frequencies are accepted within a phone call, an attacker can record these frequencies and use them to
activate services or to get sensitive information.

Summary: Dual-tone multi-frequency signaling (DTMF) is a voice-frequency used in
Interactive Voice Response systems (IVRs).

Interactive Voice Response systems

For each key pressed, a dial tone is created by combining the frequencies of the
corresponding numbers row and column. For example, the dial tone of “5” is created by
combining the frequency of “770Hz” and “1336 Hz” and the resultant is the frequency
of “5”.
Abstract: The attack is a phreak attack on IVR systems which are yet to be completely
made VOIP. These Interactive Voice Response systems work on frequency and based on the frequency certain commands and functions are processed. Since these frequencies are generated by the phone, these frequencies are recorded and used to activate services or to get sensitive information for one or multiple users at the same time.

Steps to reproduce attack:

  1. First of all you need a recording of the IVR frequencies. This is nothing but the
    different frequency that for each number that is taken by IVR to process it. Once
    we have the frequencies recorded as mp3, m4a or any other format let’s begin.
  2. Call any toll free number (possibly 198 in India) using any telecom operator SIM.
    Dial the toll free number according to your country and operator.
  3. You will hear the recoded voice saying something like “Press 1 for English, 2 for
    Hindi,” this is the time you have to play your recorded frequency. Suppose you
    want to select English, play the frequency for dial tone 1 from another device or
    laptop or through speakers. The IVR will take this as input and process it and
    make your language as English.

Possible attack scenarios: In the attack scenarios described above we only used
frequencies that of dial tone from 0-9, it is possible to disrupt the systems, control any
users IVR input and subscribe for services, change settings, extract information and
can also cause a denial of service.
CVE-2018-11518 is been assigned to HCL legacy IVR systems, however our research
says IVR belonging to the vendors such as IBM, COMVIVA, SPICEDIGITAL might be
vulnerable to such attacks.

Phreakers: Dhiraj Mishra & Benedict Charles
Research Paper: CVE-2018-11518 abusing IVR systems.

About the Author: Security Researcher Dhiraj Mishra ()
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Interactive Voice Response systems, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment