Intercom Hack Demo - DTMF tones injection 

Here's what's happening: (Long-ish read) In some buildings, you must select the party you're visiting on a directory system before the door or elevator will function. Once selected, the system calls the person in charge at the business or apartment and they're in charge of either telling you to go away (lol) or letting you in (some places call it "buzzing you in") by pressing a button or a combination of buttons on thier phone. The system "hears" the tones that the phone makes when those buttons are pressed (the same way the switch at the phone company hears them when you dial a number from your home phone and knows what numbers you pressed.) Since the audio is going in both directions like any other phone call, and since the system has no way of telling which side the tones are coming from, the person in the video is able to play a recording of those tones into the microphone, fooling the system into thinking that the owner pressed the proper buttons to allow the guest in. As a result, it granted them access. I'm sorry this was such a long explanation--I'm a telecom guy and I love phone stuff. I hope I was able to clear things up for you! -KC

@@NortelGeek Thanks for the explanation. That's pretty much it I guess.

@Aslan This is similar to IVR systems you hear from banks or government agencies automated telephone service. You call in, and the automated machine tells you to "Press 1 for English...press 2 for...". Those are DTMF tones. Pressing 1 and # (long press, not possible on most mobile phones) grants access to the attacker.

@@breaktoprotect1735 Sure thing! :) Glad to see videos like yours.

It uses standard telephone tones. I was trying to call my own unit, and I didn't pick it so it went straight to voice mail, and then proceed on to the 'dead' tone (probably not the right term). If you try calling someone on the landline, you should expect the same tones when the person hang up after talking to you or exit a voice mail message. Most people don't use landline these days, and from this question, you're likely born after 1995. =D Thanks for watching. Keep safe!

when above is applied, the only hacking way is to play that loud DTMF sound near unit target location.

Yeah just deactivate DTMF from the microphone source

@Picadilli Bingo. To be more specific, disable parsing of any tone from speakers as @nuttapong mentioned. I suspect there are more similar systems out there that uses DTMF tones for instructions.

Well, according to the advisory, Fermax acknowledged it, fixed it and granted permission to the author to publish this. Why would a company admit the security issue if it was fake, let alone allowing publishing of potentially brand damaging content?

Are you familiar with US gov NIST? nvd.nist.gov/vuln/detail/CVE-2017-16778