Version v.1.0.0

lecture: Pentesting automated voice responders using smart cloud services


During the large project for the client we discovered that need for such testing exists, but not
so many tools. IBM XFR team developed it’s own methodology and tools to execute this and
discovered some interesting failures in handling of such systems. This talk will discuss these
issues, methodology and tool which is currently being developed in a more reusable form.

IVR (interactive voice response) are widely deployed and used in various industries: bank,
transportation, public institutions…, and sometimes dealing with YOUR data! Did the
providers consider security in their design? “We are not connected to IP networks and
Internet, so no risk!” or not!
Most IVR are now built upon software solutions, proprietary or open-source. Although those
solutions are not particularly vulnerable by themselves, the implementation and design of the
voice services built on top of them can be highly vulnerable.
That being said, how to test those systems only accessible through a phone number? Manual
testing is not an option! How can you exploit the responses from the IVR server in an
automatic way? How can you process the results of thousands of different attempts without
listening for every answer? How can you talk to the IVR when they are not expecting DTMF
sequences but vocal answers? Good news: the state of the art cloud services can help you! In
this talk, we’ll give you a methodology to perform such tests, what is needed and how to build
an IVR pentesting platform and present you the vulnerabilities that can be discovered!


Day: 2017-09-15
Start time: 16:15
Duration: 01:00


Concurrent events

IOT Workshop