Quantifying the Breakability of Voice Assistants
Conference Paper
Overview
Research
Identity
Additional Document Info
Other
View All
Overview
abstract
In this paper, we present a thorough study of voice impersonation attacks that can compromise the security of voice authentication technology deployed in several popular, state-of-the-art Android and iOS apps. Our study is based on our formulated Sneakers attack system that comprises a variety of well-known as well as newly designed attacks: (1) recorded and replayed voice of the authorized user (replay attack); (2) reordered and played-back voice of the authorized user (reorder attack); and (3) synthesized voice generated - based on voice conversion techniques - using an unauthorized user's voice (standard conversion attack), or using a noise-free recording from a text-to-speech engine (TTS conversion attack). Taking Sneakers as a basis, we report on a carefully designed study to examine a variety of real-world voice authentication apps for their vulnerability against malicious authentication. Our study follows a two-phase methodology. In the preliminary phase, we analyze 8 popular mobile apps against standard simplistic attack setups. Our results show that, while the tested apps seem to resist the reorder attack and the standard conversion attack, they are highly vulnerable to the replay attack. In the main phase of the study, we comprehensively assess 5 of the above apps against more advanced newly designed attack setups. Like in the preliminary phase, the apps prove to be highly vulnerable to the replay attack. More seriously, the apps also turn out to be highly insecure against our advanced attack setups, i.e., the reorder attack with coordinated timing and the TTS conversion attack, yielding success rates of 82%-98%. These malicious authentication measurement results are highly pertinent in practice because, we demonstrate that the apps generally work well in the benign authentication scenario to reliably "accept" an authorized user and "reject" an unauthorized user. Our work shows that many standard attacks that prior work demonstrated to be effective against standalone voice authentication algorithms do not work against current voice authentication apps. Yet, our new attack designs could still compromise these apps. Overall, our work highlights a serious vulnerability of real-world voice authentication apps, which seems very challenging to mitigate at a fundamental level.
name of conference
2019 IEEE International Conference on Pervasive Computing and Communications (PerCom
