Tuesday 29 May 2018

0day - Legacy IVR - Let's Phreak

This blog is based on a research that my friend and I were doing just for fun, we never expected to land a research but it was amazing when it was assigned a CVE-2018-11518.

Phreaks: Dhiraj Mishra and virgil_cj

Lets begin, legacy Interactive Voice Response(IVR) systems work on frequencies and these legacy systems are still being used widely which can be easily manipulated remotely by generating our own frequency.

Lets say you dial 198 from your mobile phone and the automated voice you hear is the IVR. So it says you to press 1 or 2 and so on, and every time you press a number in your number pad a dial tone is heard, this is actually a frequency that the IVR system uses to receive your input.

This means we have control of the flow of any user using the IVR just by generating the required frequency and manipulate it to do anything like recharging or subscribing for a new caller tune etc.

A CVE-2018-11518 was assigned and we also made a video POC on how this is actually done.

If you are wondering how this could be made an attack, then lets say if these DTMF frequencies are played in loud speakers in public places and if anyone in that place is making an IVR call then these frequencies will be taken as input for those users and by playing it repeatedly we can activate services to that user without the person even realizing it.

Telecom must move their system into newer technology rather than still using old legacy systems.

Video POC : https://www.youtube.com/watch?v=MHvGx0URN_I
Research paper: CVE-2018-11518