Attackers can break voice authentication with up to 99% success within six tries: Study by University of Waterloo
The Vulnerabilities of Voice Authentication
Voice authentication, a technology that allows companies to verify the identity of their clients through a unique “voiceprint,” has become increasingly popular in various security-critical scenarios such as remote banking and call centers. However, a recent study conducted by computer scientists at the University of Waterloo has found that voice authentication systems can be easily bypassed by attackers with a success rate of up to 99% after only six attempts.
When enrolling in voice authentication, users are typically asked to repeat a specific phrase in their own voice. The system then extracts a vocal signature, known as a voiceprint, from the provided phrase and stores it on a server. Subsequently, during authentication attempts, users are prompted to repeat a different phrase, and the system compares the extracted features from the new phrase to the stored voiceprint to grant or deny access.
The Rise of Deepfake Technology
The concept of voiceprints was introduced as a unique identifier for individuals, but unfortunately, malicious actors quickly realized the potential of using “deepfake” software to generate convincing copies of a victim’s voice. These deepfake voices can be created using as little as five minutes of recorded audio, posing a significant threat to voice authentication systems.
In response, developers introduced “spoofing countermeasures” that could examine speech samples and determine whether they were created by humans or machines. However, the researchers at the University of Waterloo have developed a method that evades these spoofing countermeasures, allowing attackers to fool most voice authentication systems within only six attempts.
The researchers identified specific markers in deepfake audio that distinguish it from authentic voices and then developed a program that removes these markers, making the deepfake audio indistinguishable from genuine recordings. In tests against Amazon Connect’s voice authentication system, the researchers achieved a 10% success rate in a four-second attack, which increased to over 40% within 30 seconds. With less sophisticated voice authentication systems, they achieved a staggering 99% success rate after just six attempts.
The Flaws in Voice Authentication Systems
The lead author of the study, Andre Kassis, emphasizes that while voice authentication provides additional security compared to no authentication at all, the existing spoofing countermeasures are fundamentally flawed. Kassis points out that the only way to create a truly secure system is to think like an attacker. Without taking an adversarial mindset, security measures will always be vulnerable to exploitation.
Kassis’s supervisor, computer science professor Urs Hengartner, echoes this sentiment, stating that companies relying solely on voice authentication as their primary authentication factor should consider deploying additional or stronger authentication measures. The research conducted by Kassis and Dr. Hengartner underscores the inherent insecurity of relying solely on voice authentication and highlights the urgent need for more robust security measures.
The Need for Additional Authentication Measures
The study conducted by the University of Waterloo researchers sheds light on the vulnerabilities of voice authentication systems and carries significant implications for the future of authentication technology. Voice authentication, while convenient, cannot be solely relied upon as a foolproof method of identity verification.
To enhance security, companies should consider implementing multi-factor authentication, combining voice authentication with other factors such as biometrics (e.g., fingerprint or face recognition) or secondary authentication factors (e.g., one-time passwords or hardware tokens). By employing a layered approach to authentication, organizations can mitigate the risks associated with voice authentication vulnerabilities and ensure a higher level of security for their customers.
The Importance of Constantly Evolving Security Measures
The findings of the University of Waterloo study also highlight the need for constant vigilance in the face of evolving threats. As technology advances, so too do the methods and capabilities of attackers. Developers and security professionals must remain proactive in identifying potential vulnerabilities and adapting security measures accordingly.
While voice authentication is undoubtedly a valuable tool in the realm of identity verification, it should not be treated as a standalone solution. By embracing a mindset rooted in constant adaptation and innovation, companies can stay one step ahead of attackers and safeguard their customers’ sensitive data.
Sources:
- Breaking Security-Critical Voice Authentication, 2023 IEEE Symposium on Security and Privacy (SP). DOI: 10.1109/SP46215.2023.00139
- University of Waterloo – https://uwaterloo.ca/
- TechXplore – https://techxplore.com/news/2023-06-voice-authentication-success.html
<< photo by cottonbro studio >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- The Costly Consequences: Examining the Fallout of the Recent Pilot Applicant Data Breach
- Fortinet’s FortiNAC Vulnerability: Unmasking Networks to Lethal Code Execution Attacks
- China’s ‘Volt Typhoon’ APT: Analyzing the Expanding Threat Landscape
- The Impact of Cyberattack on Suncor: A Blow to Canadian Gas Stations
- The Great Leak: Genworth Financial Exposes 2.7M SSNs in Data Breach
- Law Firms Under Siege: The Rise of Ransomware and Cyberattacks
- Sumsub Unveils Cutting-Edge AI Tool to Combat Deepfake Threats
- The Vulnerabilities of Gmail’s Blue Check Verification System
- Passkeys Gain Momentum as Pilot Programs Launch
- The Rise of Social Engineering: A Deep Dive into the $50B Global BEC Losses
- Beware of Fake Reservation Links Targeting Exhausted Travelers