Interactive Voice Response (IVR) Assessment

Find security holes in IVR systems

Next Steps:


Interactive voice response (IVR) systems allow people to interact with computers in an automated fashion, through voice or touch-tone phones. Often, these systems process confidential data such as credit card numbers, social security numbers, user PIN information, and other personally identifiable information (PII). McAfee Foundstone’s IVR assessment helps organizations secure their IVR systems and identify security holes before attackers can gain access.

IVR systems are typically used for telephone banking, credit card services, hospitals, and call centers. Now, IVR technology is also being introduced into automobile systems for hands-free operation. Current deployment in automobiles revolves around satellite navigation, audio, and mobile phone systems.

There is a common misconception that these systems are secure and do not pose a real threat to an organization. Most of the time, IVR systems are conveniently left out of regular security testing and internal audits; however, hackers are shifting away from traditional hacking methods and focusing on weak links such as IVR systems.

Key Benefits

  • Finds holes in production IVR systems before hackers gain access.
  • Leverages Foundstone’s proprietary and up-to-date testing process, consisting of manual and automated testing using scripts and other tools for DTMF fuzzing.
  • Reviews XML files and architecture diagrams to identify flaws in the IVR system implementation.
  • Evaluates your risk and the potential impact on your business; Foundstone includes that assessment in the risk calculation in addition to the industry-recognized CVSS v2 scoring system.
  • Relies on a thorough training program, comprehensive methodology, and strict quality control to ensure almost no false positives.
  • Includes knowledge transfer of testing techniques, issues, and remediation to customers.


Foundstone’s IVR testing methodology uses a combination of commercial tools, internally developed utilities, and manual methodical techniques to review the various potential points of security failure on an IVR system and the communication between the user and the system. Automated testing is performed using internally developed scripts that leverage the Skype API and other tools for DTMF fuzzing. Voice recognition software is used to speed up testing for English language IVR systems. Moreover, testers review the XML files and architecture diagram to identify implementation and development flaws.

At the beginning of a test, Foundstone requests the following information:

  • A toll-free phone number to access the IVR system
  • Test data such as valid account numbers, pins, and other information, as necessary
  • Voice-flow diagrams
  • XML files such as VXML/CCXML, etc.
  • Architecture diagram

Based years of experience testing IVR systems, Foundstone broadly classifies the common vulnerabilities into the following categories:

  • Sensitive information disclosure issues such as internal IP revealed, source code disclosure, and stack trace revealed
  • Username, PIN harvesting, and credit card and account number enumeration vulnerabilities
  • Application logic bypass vulnerabilities
  • Input validation vulnerabilities such as SQL injection, XPath injection, and buffer overflows
  • Brute-force attacks
  • Vishing attacks
  • Denial-of-service attacks such as account lockouts and XML parsing errors