Xiaoyu Ji,Juchuan Zhang,Shui Jiang,Jishen Li,Wenyuan Xu

DOI: https://doi.org/10.1145/3460120.3485389

2021-01-01

Abstract:Voice assistants can be manipulated by various malicious voice commands, yet existing attacks require a nearby speaker to play the attack commands. In this paper, we show that even when no speakers are available, we can play malicious commands by utilizing the capacitors inside electronic devices, i.e., we convert capacitors into speakers and call it CapSpeaker. Essentially, capacitors can emit acoustic noises due to the inverse piezoelectric effect, i.e., varying the voltage across a capacitor can make it vibrate and thus emit acoustic noises. Forcing capacitors to play malicious voice commands is challenging because (1) the frequency responses of capacitors as speakers have poor performance in the range of audible voices, and (2) we have no direct control over the voltage across capacitors to manipulate their emitting sounds. To overcome the challenges, we use a PWM-based modulation scheme to embed the malicious audio onto a high-frequency carrier, e.g., above 20 kHz, and we create malware that can induce the right voltage across the capacitors such that CapSpeaker plays the chosen malicious commands. We conducted extensive experiments with 2 LED lamps (a modified one and a commercial one) and 5 victim devices (iPhone 4s, iPad mini 5, Huawei Nova 5i, etc.). Evaluation results demonstrate that CapSpeaker is feasible at a distance up to 10.5 cm, triggering a smartphone to receive voice commands, e.g., "open the door''.

Lanqing Yang,Xinqi Chen,Xiangyong Jian,Leping Yang,Yijie Li,Qianfei Ren,Yi-Chao Chen,Guangtao Xue,Xiaoyu Ji

2023-01-01

Abstract:Speech recognition (SR) systems are used on smartphones and speakers to make inquiries, compose emails, and initiate phone calls. However, they also impose a severe security risk. Researchers have demonstrated that the introduction of certain sounds can threaten the security of SR systems. Nonetheless, most of those methods require that the attacker approach within a short distance of the victim, thereby limiting the applicability of such schemes. Other researchers have attacked SR systems remotely using peripheral devices (e.g., lasers); however, those methods require line-of-sight access and an always-on speaker in the vicinity of the victim. To the best of our knowledge, this paper presents the first-ever scheme, named SINGATTACK, in which SR systems are manipulated by human-like sounds generated in the switching mode power supply of the victim's device. The fact that attack signals are transmitted via the power grid enables long-range attacks on existing SR systems. In experiments on ten SR systems, SINGATTACK achieved Mel-Cepstral Distortion of 7.8 from an attack initiated at a distance of 23m.

Meng Xue,Kuang Peng,Xueluan Gong,Qian Zhang,Yanjiao Chen,Routing Li

DOI: https://doi.org/10.1145/3610874

2023-01-01

Abstract:Intelligent audio systems are ubiquitous in our lives, such as speech command recognition and speaker recognition. However, it is shown that deep learning-based intelligent audio systems are vulnerable to adversarial attacks. In this paper, we propose a physical adversarial attack that exploits reverberation, a natural indoor acoustic effect, to realize imperceptible, fast, and targeted black-box attacks. Unlike existing attacks that constrain the magnitude of adversarial perturbations within a fixed radius, we generate reverberation-alike perturbations that blend naturally with the original voice sample 1. Additionally, we can generate more robust adversarial examples even under over-the-air propagation by considering distortions in the physical environment. Extensive experiments are conducted using two popular intelligent audio systems in various situations, such as different room sizes, distance, and ambient noises. The results show that Echo can invade into intelligent audio systems in both digital and physical over-the-air environment.

Zhicong Zheng,Xinfeng Li,Chen Yan,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1145/3581783.3613843

2023-01-01

Abstract:Backdoor Attacks have been shown to pose significant threats to automatic speech recognition systems (ASRs). Existing success largely assumes backdoor triggering in the digital domain, or the victim will not notice the presence of triggering sounds in the physical domain. However, in practical victim-present scenarios, the over-the-air distortion of the backdoor trigger and the victim awareness raised by its audibility may invalidate such attacks. In this paper, we propose SMA, an inaudible grey-box backdoor attack that can be generalized to real-world scenarios where victims are present by exploiting both the vulnerability of microphones and neural networks. Specifically, we utilize the nonlinear effects of microphones to inject an inaudible ultrasonic trigger. To accurately characterize the microphone response to the crafted ultrasound, we construct a novel nonlinear transfer function for effective optimization. We also design optimization objectives to ensure triggers' robustness in the physical world and transferability on unseen ASR models. In practice, SMA can bypass the microphone's built-in filters and human perception, activating the implanted trigger in the ASRs inaudibly, regardless of whether the user is speaking. Extensive experiments show that the attack success rate of SMA can reach nearly 100% in the digital domain and over 85% against most microphones in the physical domains by only poisoning about 0.5% of the training audio dataset. Moreover, our attack can resist typical defense countermeasures to backdoor attacks.

Zhijian Xu,Guoming Zhang,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1177/09574565211001563

2021-01-01

Noise & Vibration Worldwide

Abstract:The in-car voice controllable system has become an almost standard feature in smart cars. Prior work shows that the voice controllable system is vulnerable to light commands attack which uses the laser as the medium to inject voice commands. In this article, we first reproduced the light commands attack on acoustic isolated in-car voice controllable system under several scenarios with a lightweight solution. We validate the feasibility of injecting the malicious voice command through a window into the microphone by modulating a laser beam. Then, we tested a variety of mainstream countermeasures such as placing sunscreen film on the glass panel to see whether it can protect the microphone from being attacked. Surprisingly, we find that the lower light transmittance of sunscreen film is the lower the success rate of the attack. Experiment results also show that when the transmittance rate of sun film is 50% which is the darkest sunscreen film that can be applied, the attacking success rate decreased by up to 0.4. We also explore the impact of attack angle by changing the incidence angle of the laser beam and the results demonstrate that light commands is sensitive to attack angle and the successful angle range is ± 15°. Finally, we propose a series of hardware-based protection schemes against light commands attacks.

Yan Jiang,Xiaoyu Ji,Kai Wang,Chen Yan,Richard Mitev,Ahmad-Reza Sadeghi,Wenyuan Xu

DOI: https://doi.org/10.1109/tdsc.2023.3326181

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The security of capacitive touchscreens is crucial since they have become the primary human-machine interface on smart devices. This paper presents Marionette , the first wired attack that creates ghost touches on capacitive touchscreens via charging cables and can manipulate the victim's devices with undesired consequences, e.g., establishing malicious Bluetooth connections. Our study provides a new threat vector against touchscreens that only requires connecting to a malicious charging port, which could be a public charging station, and is effective across various USB data blockers and power adapters. Despite the fact that smartphones employ abundant noise reduction and voltage management techniques, we manage to inject carefully crafted signals that can induce ghost touches within a chosen range. The underlying principle is to inject common-mode noises over the power line to avoid being effectively filtered yet affecting the touch measurement mechanism and synchronize the malicious noise with the screen measurement scanning cycles to place the ghost touches at target locations. We achieve three types of attacks, i.e., injection, alteration, and Denial-of-Service, and the evaluation of 12 commercial electronics, 6 power adapters, and 13 charging cables demonstrate the feasibility of Marionette .

Guoming Zhang,Xiaoyu Ji,Xinfeng Li,Gang Qu,Wenyuan Xu

DOI: https://doi.org/10.14722/ndss.2021.24551

2021-01-01

Abstract:DolphinAttacks (i.e., inaudible voice commands) modulate audible voices over ultrasounds to inject malicious commands silently into voice assistants and manipulate controlled systems (e.g., doors or smart speakers). Eliminating DolphinAttacks is challenging if ever possible since it requires to modify the microphone hardware. In this paper, we design EarArray, a lightweight method that can not only detect such attacks but also identify the direction of attackers without requiring any extra hardware or hardware modification. Essentially, inaudible voice commands are modulated on ultrasounds that inherently attenuate faster than the one of audible sounds. By inspecting the command sound signals via the built-in multiple microphones on smart devices, EarArray is able to estimate the attenuation rate and thus detect the attacks. We propose a model of the propagation of audible sounds and ultrasounds from the sound source to a voice assistant, e.g., a smart speaker, and illustrate the underlying principle and its feasibility. We implemented EarArray using two specially-designed microphone arrays and our experiments show that EarArray can detect inaudible voice commands with an accuracy of 99% and recognize the direction of the attackers with an accuracy of 97.89%.

Yan Jiang,Xiaoyu Ji,Kai Wang,Chen Yan,Richard Mitev,Ahmad-Reza Sadeghi,Wenyuan Xu

DOI: https://doi.org/10.1109/sp46214.2022.9833740

2022-01-01

Abstract:The security of capacitive touchscreens is crucial since they have become the primary human-machine interface on smart devices. To the best of our knowledge, this paper presents WIGHT, the first wired attack that creates ghost touches on capacitive touchscreens via charging cables, and can manipulate the victim devices with undesired consequences, e.g., allowing malicious Bluetooth connections, accepting files with viruses, etc. Our study calls for attention to a new threat vector against touchscreens that only requires connecting to a malicious charging port, which could be a public charging station, and is effective across various power adapters and even USB data blockers. Despite the fact that smartphones employ abundant noise reduction and voltage management techniques, we manage to inject carefully crafted signals that can induce ghost touches within a chosen range. The underlying principle is to inject common-mode noises over the power line to avoid being effectively filtered yet affect the touch measurement mechanism, and synchronize the malicious noise with the screen measurement scanning cycles to place the ghost touches at target locations. We achieve three types of attacks: injection attacks that create ghost touches without users touching the screen, alteration attacks that change the detected legitimate touch position, and Denial-of-Service attacks that prevent the device from identifying legitimate touches. Our evaluation on 6 smartphones, 1 tablet, 2 standalone touchscreen panels, 6 power adapters, and 13 charging cables demonstrates the feasibility of all three type attacks.

Xiaoyu Ji,Wenyuan Xu,Guoming Zhang,Tianchen Zhang,Chen Yan,Taimin Zhang

DOI: https://doi.org/10.1109/TDSC.2019.2906165

2019-03-19

IEEE Transactions on Dependable and Secure Computing

Abstract:Voice assistants (VAs) such as Siri and Google Now have become an increasingly popular human-machine interaction method and have made various systems voice controllable. Prior work on attacking voice assistants shows that the hidden voice commands that are incomprehensible to people can control the VAs. Hidden voice commands, though ‘hidden’, are nonetheless audible. In this work, we design a completely inaudible attack, DolphinAttack, that modulates voice commands on ultrasonic carriers to achieve inaudibility. By leveraging the nonlinearity of the microphone circuits, the modulated low-frequency audio commands can be successfully demodulated, recovered, and more importantly interpreted by the voice assistants. We validate DolphinAttack on popular voice assistants, including Siri, Google Now, S Voice, HiVoice, Cortana, Alexa, etc. By injecting a sequence of inaudible voice commands, we show a few proof-of-concept attacks, which include activating Siri to initiate a FaceTime call on iPhone, activating Google Now to turn on the airplane mode, and even manipulating the navigation system in an Audi automobile. We propose hardware and software defense solutions. We validate that it is feasible to detect DolphinAttack by classifying the audios using supported vector machine (SVM), and suggest to re-design voice assistants to be resilient to inaudible voice command attacks.

Engineering,Computer Science

Tiantian Liu,Feng Lin,Zhangsen Wang,Chao Wang,Zhongjie Ba,Li Lu,Wenyao Xu,Kui Ren

DOI: https://doi.org/10.1109/sp46215.2023.10179364

2023-01-01

Abstract:An audio system containing loudspeakers and microphones is the fundamental hardware for voice-enabled devices, enabling voice interaction with mobile applications and smart homes. This paper presents MagBackdoor, the first magnetic field attack that injects malicious commands via a loudspeakerbased backdoor of the audio system, compromising the linked voice interaction system. MagBackdoor focuses on the magnetic threat on loudspeakers and manipulates their sound production stealthily. Consequently, the microphone will inevitably pick up malicious sound generated by the attacked speaker, due to the closely packed arrangement of internal audio systems. To prove the feasibility of MagBackdoor, we conduct comprehensive simulations and experiments. This study further models the mechanism by which an external magnetic field excites the sound production of loudspeakers, giving theoretical guidance to MagBackdoor. Aiming at stealthy magnetic attacks in real-world scenarios, we self-design a prototype that can emit magnetic fields modulated by voice commands. We implement MagBackdoor and evaluate it across a wide range of smart devices involving 16 smartphones, four laptops, two tablets, and three smart speakers, achieving an average 95% injection success rate with high-quality injected acoustic signals.

Xiangyu Xu,Yu Chen,Zhen Ling,Li Lu,Junzhou Luo,Xinwen Fu

DOI: https://doi.org/10.1109/infocom52122.2024.10621229

2024-01-01

Abstract:Recent years have witnessed a surge of headphones (including in-ear headphones) usage in works and communications. Because of the privacy-preserve property, people feel comfortable having confidential communication wearing headphones and pay little attention to speech leakage. In this paper, we present an end-to-end eavesdropping system, mmEar, which shows the feasibility of launching an eavesdropping attack on headphones leveraging a commercial mmWave radar. Different from previous works that realize eavesdropping by sensing speech-induced vibrations with reasonable amplitude, mmEar focuses on capturing the extremely faint vibrations with a low signal-to-noise ratio (SNR) on the surface of headphones. Toward this end, we propose a faint vibration emphasis (FVE) method that models and amplifies the mmWave responses to speech-induced vibrations on the In-phase and Quadrature (IQ) plane, followed by a deep denoising network to further improve the SNR. To achieve practical eavesdropping on various headphones and setups, we propose a cGAN model with a pretrain-finetune scheme, boosting the generalization ability and robustness of the attack by generating high-quality synthesis data. We evaluate mmEar with extensive experiments on different headphones and earphones and find that most of them can be compromised by the proposed attack for speech recovery.

Ryo Iijima,Shota Minami,Yunao Zhou,Tatsuya Takehisa,Takeshi Takahashi,Yasuhiro Oikawa,Tatsuya Mori

DOI: https://doi.org/10.1109/tetc.2019.2953041

2021-10-01

IEEE Transactions on Emerging Topics in Computing

Abstract:We propose a novel attack, called an "Audio Hotspot Attack," which performs an inaudible malicious voice command attack, by targeting voice assistance systems, e.g., smart speakers or in-car navigation systems. The key idea of the approach is to leverage directional sound beams generated from parametric loudspeakers, which emit amplitude-modulated ultrasounds that will be self-demodulated in the air. Our work goes beyond the previous studies of inaudible voice command attack in the following three aspects: (1) the attack can succeed on a long distance (3.5 meters in a small room, and 12 meters in a long hallway), (2) it can control the spot of the audible area by using two directional sound beams, which consist of a carrier wave and a sideband wave, and (3) the proposed attack leverages a physical phenomenon i.e., non-linearity in the air, to attack voice assistance systems. To evaluate the feasibility of the attack, we performed extensive in-lab experiments and a user study involving 20 participants. The results demonstrated that the attack was feasible in a real-world setting. We discussed the extent of the threat, as well as the possible countermeasures against the attack.

computer science, information systems,telecommunications

Takeshi Sugawara,Benjamin Cyr,Sara Rampazzi,Daniel Genkin,Kevin Fu

DOI: https://doi.org/10.48550/arXiv.2006.11946

2020-06-22

Abstract:We propose a new class of signal injection attacks on microphones by physically converting light to sound. We show how an attacker can inject arbitrary audio signals to a target microphone by aiming an amplitude-modulated light at the microphone's aperture. We then proceed to show how this effect leads to a remote voice-command injection attack on voice-controllable systems. Examining various products that use Amazon's Alexa, Apple's Siri, Facebook's Portal, and Google Assistant, we show how to use light to obtain control over these devices at distances up to 110 meters and from two separate buildings. Next, we show that user authentication on these devices is often lacking, allowing the attacker to use light-injected voice commands to unlock the target's smartlock-protected front doors, open garage doors, shop on e-commerce websites at the target's expense, or even unlock and start various vehicles connected to the target's Google account (e.g., Tesla and Ford). Finally, we conclude with possible software and hardware defenses against our attacks.

Cryptography and Security

Payton Walker,Tianfang Zhang,Cong Shi,Nitesh Saxena,Yingying Chen

DOI: https://doi.org/10.48550/arXiv.2302.02042

2023-02-04

Cryptography and Security

Abstract:The growing adoption of voice-enabled devices (e.g., smart speakers), particularly in smart home environments, has introduced many security vulnerabilities that pose significant threats to users' privacy and safety. When multiple devices are connected to a voice assistant, an attacker can cause serious damage if they can gain control of these devices. We ask where and how can an attacker issue clean voice commands stealthily across a physical barrier, and perform the first academic measurement study of this nature on the command injection attack. We present the BarrierBypass attack that can be launched against three different barrier-based scenarios termed across-door, across-window, and across-wall. We conduct a broad set of experiments to observe the command injection attack success rates for multiple speaker samples (TTS and live human recorded) at different command audio volumes (65, 75, 85 dB), and smart speaker locations (0.1-4.0m from barrier). Against Amazon Echo Dot 2, BarrierBypass is able to achieve 100% wake word and command injection success for the across-wall and across-window attacks, and for the across-door attack (up to 2 meters). At 4 meters for the across-door attack, BarrierBypass can achieve 90% and 80% injection accuracy for the wake word and command, respectively. Against Google Home mini BarrierBypass is able to achieve 100% wake word injection accuracy for all attack scenarios. For command injection BarrierBypass can achieve 100% accuracy for all the three barrier settings (up to 2 meters). For the across-door attack at 4 meters, BarrierBypass can achieve 80% command injection accuracy. Further, our demonstration using drones yielded high command injection success, up to 100%. Overall, our results demonstrate the potentially devastating nature of this vulnerability to control a user's device from outside of the device's physical space.

Guoming Zhang,Yan Chen,Xiaoyu Ji,Tianchen Zhang,Taimin Zhang,Wenyuan Xu

DOI: https://doi.org/10.1145/3133956.3134052

2017-01-01

Abstract:Speech recognition (SR) systems such as Siri or Google Now have become an increasingly popular human-computer interaction method, and have turned various systems into voice controllable systems (VCS). Prior work on attacking VCS shows that the hidden voice commands that are incomprehensible to people can control the systems. Hidden voice commands, though "hidden", are nonetheless audible. In this work, we design a totally inaudible attack, DolphinAttack, that modulates voice commands on ultrasonic carriers (e.g., f > 20 kHz) to achieve inaudibility. By leveraging the nonlinearity of the microphone circuits, the modulated low-frequency audio commands can be successfully demodulated, recovered, and more importantly interpreted by the speech recognition systems. We validated DolphinAttack on popular speech recognition systems, including Siri, Google Now, Samsung S Voice, Huawei HiVoice, Cortana and Alexa. By injecting a sequence of inaudible voice commands, we show a few proof-of-concept attacks, which include activating Siri to initiate a FaceTime call on iPhone, activating Google Now to switch the phone to the airplane mode, and even manipulating the navigation system in an Audi automobile. We propose hardware and software defense solutions, and suggest to re-design voice controllable systems to be resilient to inaudible voice command attacks.

Hetian Shi,Yi He,Qing Wang,Jianwei Zhuge,Qi Li,Xin Liu

DOI: https://doi.org/10.46586/tches.v2024.i2.654-676

2024-01-01

Abstract:Voice-controlled (VC) systems, such as mobile phones and smart speakers, enable users to operate smart devices through voice commands. Previous works (e.g., LightCommands) show that attackers can trigger VC systems to respond to various audio commands by injecting light signals. However, LightCommands only discusses attacks on devices with a single microphone, while new devices typically use microphone arrays with sensor fusion technology for better capturing sound from different distances. By replicating LightCommands’s experiments on the new devices, we find that simply extending the light scope (just as they do) to overlap multiple microphone apertures is inadequate to wake up the device with sensor fusion. Adapting LightCommands’s approach to microphone arrays is challenging due to their requirement for multiple sound amplifiers, and each amplifier requires an independent power driver with unique settings. The number of additional devices increases with the microphone aperture count, significantly increasing the complexity of implementing and deploying the attack equipment. With a growing number of devices adopting sensor fusion to distinguish the sound location, it is essential to propose new approaches to adapting the light injection attacks to these new devices. To address these problems, we propose a lightweight microphone array laser injection solution called LCMA (Laser Commands for Microphone Array), which can use a single laser controller to manipulate multiple laser points and simultaneously target all the apertures of a microphone array and input light waves at different frequencies. Our key design is to propose a new PWM (Pulse Width Modulation) based control signal algorithm that can be implemented on a single MCU and directly control multiple lasers via different PWM output channels. Moreover, LCMA can be remotely configured via BLE (Bluetooth Low Energy). These features allow our solution to be deployed on a drone to covertly attack the targets hidden inside the building. Using LCMA, we successfully attack 29 devices. The experiment results show that LCMA is robust on the newest devices such as the iPhone 15, and the control panel of the Tesla Model Y.

Guoming Zhang,Chen Yan,Xiaoyu Ji,Taimin Zhang,Tianchen Zhang,Wenyuan Xu

DOI: https://doi.org/10.48550/arXiv.1708.09537

2017-08-31

Cryptography and Security

Abstract:Speech recognition (SR) systems such as Siri or Google Now have become an increasingly popular human-computer interaction method, and have turned various systems into voice controllable systems(VCS). Prior work on attacking VCS shows that the hidden voice commands that are incomprehensible to people can control the systems. Hidden voice commands, though hidden, are nonetheless audible. In this work, we design a completely inaudible attack, DolphinAttack, that modulates voice commands on ultrasonic carriers (e.g., f > 20 kHz) to achieve inaudibility. By leveraging the nonlinearity of the microphone circuits, the modulated low frequency audio commands can be successfully demodulated, recovered, and more importantly interpreted by the speech recognition systems. We validate DolphinAttack on popular speech recognition systems, including Siri, Google Now, Samsung S Voice, Huawei HiVoice, Cortana and Alexa. By injecting a sequence of inaudible voice commands, we show a few proof-of-concept attacks, which include activating Siri to initiate a FaceTime call on iPhone, activating Google Now to switch the phone to the airplane mode, and even manipulating the navigation system in an Audi automobile. We propose hardware and software defense solutions. We validate that it is feasible to detect DolphinAttack by classifying the audios using supported vector machine (SVM), and suggest to re-design voice controllable systems to be resilient to inaudible voice command attacks.

Bang Tran,Shenhui Pan,Xiaohui Liang,Honggang Zhang

DOI: https://doi.org/10.1109/icc42927.2021.9500792

2021-01-01

Abstract:Voice Assistant System (VAS) provides a convenient way for users to interact with smart-home devices via a voice interface. However, it raises unique security issues, including voice replay and injection attacks, where attackers remotely and maliciously control the smart-home devices via a voice interface. In this paper, we consider a typical smart-home scenario in which a VAS device and a compromised speaker device are placed in close physical proximity. The attacker can remotely play malicious voice commands through the speaker device to manipulate the VAS device for malicious purposes. We propose a defense system on the VAS device to secure the VAS device against both voice replay and injection attacks, without any additional devices and without any extra user effort. Specifically, our system aims to collect voice data and wireless data continuously from the VAS device and then extracts the Mel-Cepstral Frequency Coefficients (MFCC) features from voice and wireless data. We consider that both voice and wireless data are affected by the same present users’ physical activities, and the correlation can be used to detect the attacks. Finally, our system applies a deep learning model that learns from previous time-series data and analyzes real-time data to infer whether the real-time voice command is generated from a user or the speaker device. We have tested our system in certain real-world smart-home scenarios. Our experiments showed that the proposed system has a probability between 76.4% to 89.1% to successfully detect the voice replay and injection attacks in the considered scenarios.

Lei Zhang,Yan Meng,Jiahao Yu,Chong Xiang,Brandon Falk,Haojin Zhu

DOI: https://doi.org/10.1109/infocom41043.2020.9155483

2020-07-01

Abstract:The advancement of voice controllable systems (VC-Ses) has dramatically affected our daily lifestyle and catalyzed the smart home’s deployment. Currently, most VCSes exploit automatic speaker verification (ASV) to prevent various voice attacks (e.g., replay attack). In this study, we present VMask, a novel and practical voiceprint mimicry attack that could fool ASV in smart home and inject the malicious voice command disguised as a legitimate user. The key observation behind VMask is that the deep learning models utilized by ASV are vulnerable to the subtle perturbations in the voice input space. To generate these subtle perturbations, VMask leverages the idea of adversarial examples. Then by adding the subtle perturbations to the recordings from an arbitrary speaker, VMask can mislead the ASV into classifying the crafted speech samples, which mirror the former speaker for human, as the targeted victim. Moreover, psychoacoustic masking is employed to manipulate the adversarial perturbations under human perception threshold, thus making victim unaware of ongoing attacks. We validate the effectiveness of VMask by performing comprehensive experiments on both grey box (VGGVox) and black box (Microsoft Azure Speaker Verification) ASVs. Additionally, a real-world case study on Apple HomeKit proves the VMask’s practicability on smart home platforms.

Rongjunchen Zhang,Xiao Chen,Jianchao Lu,Sheng Wen,Surya Nepal,Yang Xiang

DOI: https://doi.org/10.48550/arXiv.1805.06187

2018-05-16

Abstract:Intelligent Personal Assistant (IA), also known as Voice Assistant (VA), has become increasingly popular as a human-computer interaction mechanism. Most smartphones have built-in voice assistants that are granted high privilege, which is able to access system resources and private information. Thus, once the voice assistants are exploited by attackers, they become the stepping stones for the attackers to hack into the smartphones. Prior work shows that the voice assistant can be activated by inter-component communication mechanism, through an official Android API. However, this attack method is only effective on Google Assistant, which is the official voice assistant developed by Google. Voice assistants in other operating systems, even custom Android systems, cannot be activated by this mechanism. Prior work also shows that the attacking voice commands can be inaudible, but it requires additional instruments to launch the attack, making it unrealistic for real-world attack. We propose an attacking framework, which records the activation voice of the user, and launch the attack by playing the activation voice and attack commands via the built-in speaker. An intelligent stealthy module is designed to decide on the suitable occasion to launch the attack, preventing the attack being noticed by the user. We demonstrate proof-of-concept attacks on Google Assistant, showing the feasibility and stealthiness of the proposed attack scheme. We suggest to revise the activation logic of voice assistant to be resilient to the speaker based attack.

Cryptography and Security,Computers and Society