This is a guest post from Graeme Neilson
Reverse engineering is generally thought of as using debuggers, disassemblers and hex editors. Much as I love hex editors, IDA and staring at opcodes for the last few years I have been focused on applying my reverse engineering methodology to larger, composed systems. At Troopers TelcoSec day this year I will be presenting Bluevoxing which demonstrates how this approach works. Bluevoxing is about reverse engineering how web based “audio one time password” systems work. Simply put audio one time password systems use a short audio file as an authentication token. When I discovered these systems I was intrigued as reversing them would involve a range of techniques and tools from web testing, audio tools, signal analysis, phreaking and cryptanalysis. The disassembler would be of no use instead I would have to employ audio tools such as audacity and ruby-processing.
My methodology was:
- collect a large sample set of audio one time passwords
- extract the raw audio file from the samples
- somehow convert the audio file into a number…
- analyse the numbers…