June 6, 2017 -
A new study by the University of Buffalo’s (UB) School of Engineering and Applied Sciences has found that voice-based smartphone apps such as Siri and WeChat can expose make you vulnerable to the growing security threat of voice hacking, according to a report on Phys.Org.
Using only a few minutes of audio samples, attackers can replay your voice convincingly enough to trick people and advanced digital security systems to steal money from your bank account.
A UB team of engineers have used a few tools already on smartphones, including the compass, to develop a prototype app that has proved highly accurate in blocking machine-based voice impersonation attacks.
The team will present the study this week in Atlanta at the Electrical and Electronic Engineers’ 37th International Conference on Distributed Computing Systems.
“Every aspect of your life is now on your phone. That is your security hub. It is really critical now,” said Kui Ren, PhD, director of the Ubiquitous Security and Privacy Research Laboratory (UbiSeC) at UB, and one of the study’s lead authors. “Hackers are out there, more than you can imagine. There is a whole underground grey market to sell your password and your personal information.”
Ren said the most effective way to protect your cellphone is to use “multiple lines of defense” for greater “depth”.
Voice recognition could become a more common security tool because more Internet-connected devices are being developed that do not have keypads, he said.
“With the Internet of things, what is a security interface? It is not like the phone. There is often no touchscreen or keypad so voice authentication may be useful,” Ren said.
The study, which Ren co-authored with former PhD student Si Chen and assistant professor at West Chester University of Pennsylvania, has been awarded the ‘Best Student Paper Award’ at the conference.
There are multiple forms of voice recognition attacks including synthesizing the person’s voice, which are detectable by existing algorithms; and a human imitating a voice, which existing technology can detect.
The third method replays a person’s actual voice, making it far more difficult to detect as it must be broadcast on a speaker — which has magnetic fields.
The UB team’s prototype system uses the magnetometer in a phone, which is used for the device’s compass, to detect a magnetic field.
The system also uses the phone’s trajectory mapping algorithm to calculate the distance between the speaker and the phone.
This method requires a user to be in close proximity to the phone when speaking to ensure that the individual using a replay of a voice over a mechanical speaker is close enough that the magnetic field can be detected.
The system requires that the phone is in motion when the voice recognition is being used. This is due to the magnetic field changing when a replayed voice is moved, which the phone can detect.
The team plans to improve the system and eventually make it available as an app.
“We cannot decide if voice authentication will be pervasive in the future. It might be. We’re already seeing the increasing trend,” Ren said. “And if that is the case, we have to defend against voice replay attacks. Otherwise, voice authentication cannot be secure.”