• Internal Attacks via IVR systems [ Security Vulnerabilities in IVR Applications]

    Am putting down Demo videos along with few important slides form my BlackHat 2012 presentation .

    My presentation were in HTML 5 and am putting down Demo Presentations here. I will upload the HTML5 presentation some were or you could download them form


    For Better understanding about these demos go through the html 5 slides

    Phone Banking

    Brute Forcing IVR Application:

    Layers of an IVR

    How IVR Works

    Demo IVR Application DTMF and Voice Input

    Finger printing IVR Application

    Input Validation Attacks [ DTMF Blind SQL Injection ]

    IVR Alpha Numeric Input [Chances of sending Alpha Numeric Shellcodes]

    IVR Heap OverFlow [Internal Server 500 Error

    This article was originally published in blog: Internal Attacks vai IVR systems [ Security Vulnerabilities in IVR Applications] started by fb1h2s
    Comments 3 Comments
    1. vaibhav's Avatar
      vaibhav -
      Hi fb1h2s, This is very helpful, but what i was wondering is that while doing all this, would ur bank not know that you are attempting to fingerprint or brute force into an account. Even when you are doing it for your own account. I mean would there be not litigation. Is there a way around this?
    1. fb1h2s's Avatar
      fb1h2s -
      Hi thanks for the concern , in my demonstration all I tried to demonstrate with my bank is that IVR logins are bruteforcable and its the same with every other banks, no specifics here. And no bruteforce attempts were made , only login to a personal test account was done.
    1. xenvito's Avatar
      xenvito -
      Hey fb1h2s, Enjoyed the presentation. Can you please share some sample codes for interfacing python with android for sending AT commands? I believe pyserial would help but the progress has been slow in that direction. Would really appreciate some pointers :-)
  • G4H Facebook

  • G4H Twitter