The Spoof

Can we spoof a good Voice Biometrics Engine recording the owner’s voice? No, if it is a secure engine. But many engines in the market are easily spoofed.

We have seen how soon a team in Germany was able to spoof the Apple Touch ID. We must admit that the spoof is quite complicated and does not create any serious problems for the normal user of iPhone 5S. We should expect a lot of these as soon as Voice ID becomes a real alternative for device authentication. Are we ready?
Voice Biometrics has a bad reputation regarding spoofing. In Hollywood, you will probably remember this sequence of the movie “The Bourne Ultimatum”, where it is shown how “easy” is to spoof the voice protection of a CIA agent secure safe vault. Bourne just records the agent voice and replays it in front of the vault. That’s all.
In Wikipedia, if you search for Voice Biometrics you will find a reference to this link, where In a live radio emission, a customer of Bell Canada got his voice recorded. Afterwards the interviewer could enter in the customer account, protected by a weak  Voice Biometrics technology (go to minute 4:55 of the recorded session) just doing a cut and paste generating the pass phrase. Interestingly there is nothing equivalent in the face recognition page, while it is much easier to spoof.
If you go to any social media, radio or TV dealing with VB the first question is: What if I recorded your voice, will I be able to enter?
Is it so easy? No and yes. The good news is that new generation VB Engines, such as the one of AGNITIO, has a built-in strong replay attack protection. A white paper on the subject can be requested from our sales team.  Our engine can detect recordings with a powerful and flexible filter that is updated periodically. It is like an Anti-Virus protection. You need to be updated periodically because the bad guys are always finding new ways to attack. But a good anti spoofing protection will be ahead of them and send you the latest updated filters.
The bad news is that many real life implementations with weak VB engines lack of any protection. In those cases what they try to do is what is known as “aliveness detection”. In most of the cases is a useless step, but it seems to calm the non-expert. Let me explain why. 
In one well-known implementation the user is requested to repeat a random number. Voiceprint is created with utterances of all digits. The user “has to be there” to respond. We in AGNITIO used to use that long time ago (see this old  video) but very soon we found it useless. If you have the recorded audio of the digits you can easily download a Sound board App from internet, assign one digit utterance to each number key in your keyboard and generate any random number in real time. We have spoofed several real life implementations with this easy trick.
In other implementations, after the fix phrase is requested, the user is asked to repeat a random phrase, which is different each time. In all cases tested by us, if anyone repeats the random phrase the system will approve. Yes, it is a liveness detection, but anyone can be there alive. No VB check is done in the random phrase, making it useless if you have the recording of the fix phrase.
To avoid nasty surprises after you build your Authentication solution, you should test the anti spoofing protection of the engine. It might not be a big security issue, but it will be a reputation risk. You do not want to see your solution being spoofed in You Tube by a pair of kids, do you?

Posted by Emilio Martinez, CEO
Post a Comment


Enter the characters shown in the image.