Securing Voice Computing Interfaces

The least secure computing interface in my home is my Amazon Alexa. It is deeply tied to my Amazon account, but despite that it sits quietly on my kitchen counter where anyone can talk to it. While the device is uniquely associated with me, and my profile, it is used by everybody—family and visitors alike.

This is a problem with many, perhaps even most, connected devices in the home these days. While they’re physically accessible by anybody, they’re usually uniquely tied to an individual. Voice computing interfaces are particularly vulnerable, and properly securing them is an almost impossible job because your voice is recordable and reproducible.

What is needed is some sort of two-factor authentication for your voice, which is where recent work around wearable security tokens undertaken at the University of Michigan may well come in.

Kang Shin demonstrates VAuth, a wearable voice authentication device. (📷: Joseph Xu)

Two-factor authentication means that you need two, separate, independent methods to verify your identity. Instead of just a password, you need a password and another time-dependent token generated when you attempt to log in. The something you know, the password, and something you have, a phone or a keyfob, that generates the time-dependent token.

The solution that Kang Shin, Professor of Electrical Engineering and Computer Science at the University of Michigan, and his team have come up with is a wearable device—called VAuth—that measures the vibrations created as the wearer speaks. An algorithm then compares those vibrations with the audio signal received by the digital assistant, if they match then the voice command is ‘authorised.’ If not, then the assistant is blocked from responding.

Like the keyfob that generates the time-dependent password of a traditional two-factor authentication, VAuth is the something you have rather than the something you are. Although unlike traditional two-factor authentication the lines are somewhat more blurred, and there is still some chance of false positives. It is however a dramatic improvement over no security.

The team tested VAuth with 18 users and 30 voice commands. It achieved a 97-percent detection accuracy and less than 0.1 percent false positive rate, regardless of its position on the body and the user’s language, accent or even mobility. The researchers say it also successfully thwarts various practical attacks, such as replay attacks, mangled voice attacks or impersonation attacks.

If you’re interested in the work done by Shin and his team at the University of Michigan, a paper on VAuth entitled “Continuous Authentication for Voice Assistants” was presented last week at the International Conference on Mobile Computing and Networking, in Snowbird, Utah.

--

--

--

Scientist, Author, Hacker, Maker, and Journalist.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Top 25 Clickjacking Bug Bounty Reports

How to explain BRO programming to My mom?

Digital Destruction of Human Rights

About $JAM IDO participation Tutorial

TryHackme — Git Happens Writeup

{UPDATE} 1940's Mafia Shootout Hack Free Resources Generator

#AMA CryptoBots X MetaDAO

Hardening the OCI Terraform provider authentication security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alasdair Allan

Alasdair Allan

Scientist, Author, Hacker, Maker, and Journalist.

More from Medium

What is Eraser: The Dynamic Data Race Detection Tool?

E-Mobility Fundamentals — Smart Charging

Lessons on Productivity, Efficiency, and Time Management from Computer Architecture.

Number Theory in Cryptography