The era of voice-controlled technology has officially arrived, but with its many convenient advantages have come some serious drawbacks.
While it’s certainly a time-saver to voice-unlock a phone without having to put down the groceries, it also opens a potentially wide new avenue for hackers, thieves, and nosy spouses. The phrase “OK Google” is not hard to guess, after all, and most people aren’t constantly vigilant to make sure their voice is not being recorded.
Now, a collaborative study published this week by American and Chinese researchers has a solution that rests on a component already found in every smartphone on the market: a compass.
“Every aspect of your life is now on your phone,” says Kui Ren, Ph.D., director of the Ubiquitous Security and Privacy Research Laboratory at the University of Buffalo, and one of the study’s lead authors. “That is your security hub. It is really critical now.”
Ren and his team are working to put their research into an app that will be released soon.
The basic premise of the research is simple: speakers produce sounds in different ways than a person’s voice box, and so even in the case of a high-quality speaker playing a high-quality recording, it ought to be possible to tell the difference.
It’s All About Magnets
This team realized that the biggest difference between ripples in air caused by speaker diaphragms versus human diaphragms is in the fact that speakers create air-ripples by turning a magnet on and off, while human beings… don’t. The presence or absence of the characteristic magnetic field can therefore be used as an indicator of whether the sound is coming from an artificial source. The magnetometer in every smartphone compass will do just fine at detecting that.
Since this approach looks to the source of the recording, rather than the quality of the recording, it works whether the attempted forgery is the product of an algorithm cobbling your syllables together into something new, or a direct recording of your voice saying the passphrase.
The approach is a little bit limited right now, since it requires the phone be close to the audio source, and that one or the other move a bit during playback to create a changing magnetic field. Still, with just a bit of work this technology could soon prevent the sort of hacking seen below.
There’s an indisputable need for a solution like this. The Infosec Institute reviewed the security of consumer smartphone voice security systems in 2015, finding that “any automated user authentication system that uses voice recognition technologies is vulnerable to voice impersonation attacks.”
University of Alabama security researcher Nitesh Saxena has said that “just a few minutes’ worth of audio [of] a victim’s voice would lead to the cloning of the victim’s voice itself.”
In the less than two years since Saxena said that, the amount of audio required has dipped below a single minute.
Compass security could be extra useful when used together with other advanced security features, like VAuth, which checks incoming voice commands against vibrations in the user’s body to make sure the sounds are actually coming out of them.
There seems to be an understanding that pure capture and manipulation of audio is getting too good too fast, and that researchers have to give up on detecting fakes through direct analysis of the recording. Rather, more creative attacks must breed more creative security.
“Hackers are out there, more than you can imagine,” says Ren, the University of Buffalo-based researcher. “There is a whole underground gray market to sell your password and your personal information.”
With so much advanced technology all around us, it turns out that most people might actually own those solutions already.