ABSTRACT
Voice controlled interfaces have vastly improved the usability of many devices (e.g., headless IoT systems). Unfortunately, the lack of authentication for these interfaces has also introduced command injection vulnerabilities - whether via compromised IoT devices, television ads or simply malicious nearby neighbors, causing such devices to perform unauthenticated sensitive commands is relatively easy. We address these weaknesses with Two Microphone Authentication (2MA), which takes advantage of the presence of multiple ambient and personal devices operating in the same area. We develop an embodiment of 2MA that combines approximate localization through Direction of Arrival (DOA) techniques with Robust Audio Hashes (RSHs). Our results show that our 2MA system can localize a source to within a narrow physical cone ($<30^\circ $) with zero false positives, eliminate replay attacks and prevent the injection of inaudible/hidden commands. As such, we dramatically increase the difficulty for an adversary to carry out such attacks and demonstrate that 2MA is an effective means of authenticating and localizing voice commands.
- {n. d.}. Music Angel JH-MD5BT Bluetooth Speaker. https://www.amazon.com/ imiss-music-angel-jhmd05bt-mini-bluetooth-wireless-portable-speaker/dp/ B00F86RRNY/?tag=napcardnao-20. ({n. d.}). 2017--12--18.Google Scholar
- {n. d.}. TIMIT: Acoustic-Phonetic Continuous Speech Corpus. https:// catalog.ldc.upenn.edu/ldc93s1. ({n. d.}). 2017--12--18.Google Scholar
- {n. d.}. TV anchor says live on-air 'Alexa, order me a dollhouse' guess what happens next. ({n. d.}).Google Scholar
- 2010. Network Time Protocol Version 4: Protocol and Algorithms Specification. https://tools.ietf.org/html/rfc5905. (2010).Google Scholar
- 2017. Adobe demos "photoshop for audio," lets you edit speech as easily as text. https://arstechnica.com/information-technology/2016/11/adobe-vocophotoshop-for-audio-speech-editing/. (2017).Google Scholar
- 2017. Amazon Alexa Line. https://www.amazon.com/Amazon-Echo-And-AlexaDevices/b?ie=UTF8&node=9818047011. (2017).Google Scholar
- 2017. Apple Siri. https://www.apple.com/ios/siri/. (2017).Google Scholar
- 2017. August Home Supports the Google Assistant. http://august.com/2017/03/ 28/google-assistant/. (2017).Google Scholar
- 2017. Burger King 'O.K. Google' Ad Doesn't Seem O.K. With Google. https://www.nytimes.com/2017/04/12/business/burger-king-tv-ad-googlehome.html. (2017).Google Scholar
- 2017. Cortana. https://www.microsoft.com/en-us/windows/cortana. (2017).Google Scholar
- 2017. Google Assistant. https://assistant.google.com/. (2017).Google Scholar
- 2017. Google Home. https://madeby.google.com/home/. (2017).Google Scholar
- 2017. Google Home now lets you shop by voice just like Amazon's Alexa. https://techcrunch.com/2017/02/16/google-home-now-lets-you-shopby-voice-just-like-amazons-alexa/. (2017).Google Scholar
- 2017. LyreBird. https://github.com/logant/Lyrebird. (2017).Google Scholar
- 2017. Starling Bank Integrates API into Google Home. http://bankinnovation.net/ 2017/02/starling-bank-integrates-api-into-google-home-video/. (2017).Google Scholar
- 2017. Walmart Makes Voice Shopping Even More Affordable with New Google Device. https://blog.walmart.com/innovation/20171004/walmart-makes-voiceshopping-even-more-affordable-with-new-google-device. (2017).Google Scholar
- Salil Prabhakar Antil K. Jain, Arun Ross. 2004. Information Fusion in Biometrics. IEEE Transactions on Circuits and Systems for Video Technology (2004).Google Scholar
- C. Cremers, K.B. Rasmussen, and S. Capkun. 2012. Distance hijacking attacks on distance bounding protocols. Proceedings of the IEEE Symposium on Research in Security and Privacy. Google ScholarDigital Library
- C. Meadows, P. Syverson, and L. Chang. 2013. Towards more efficient distance bounding protocols for use in sensor networks. Proceedings of the Conference on Security and Privacy for Emerging Areas in Communication Networks.Google Scholar
- Nicholas Carlini, Pratyush Mishra, Tavish Vaidya, Yuankai Zhang, Micah Sherr, Clay Shields, David Wagner, and Wenchao Zhou. 2016. Hidden Voice Commands. In 25th USENIX Security Symposium.Google Scholar
- Mark D. Corner and Brain D. Noble. 2002. Zero-Interaction Authentication. In Proceedings of the 8th Annual International Conference on Mobile Computing and Networking (MobiCom '02). ACM, New York, NY, USA, 11. Google ScholarDigital Library
- Jeremy Elson, Lewis Girod, and Deborah Estrin. 2002. Fine-grained network time synchronization using reference broadcasts. ACM SIGOPS Operating Systems Review 36, SI (2002), 147--163. Google ScholarDigital Library
- Aurélien Francillon, Boris Danev, and Srdjan Capkun. 2011. Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars. In In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS).Google Scholar
- Sukumar Ghosh. 2014. Distributed systems: an algorithmic approach. CRC press. Google ScholarDigital Library
- Google. 2017. Transactions Developer Preview. https://developers.google.com/ actions/transactions/. (2017).Google Scholar
- Tzipora Halevi, Di Ma, Nitesh Saxena, and Tuo Xiang. 2012. Secure Proximity Detection for NFC Devices Based on Ambient Sensor Data. Springer Berlin Heidelberg, Berlin, Heidelberg.Google Scholar
- Otto Huhta, Prakash Shrestha, Swapnil Udar, Mika Juuti, Nitesh Saxena, and N Asokan. 2015. Pitfalls in Designing Zero-Effort Deauthentication: Opportunistic Human Observation Attacks. arXiv preprint arXiv:1505.05779 (2015).Google Scholar
- J. Clulow, G.P. Hancke, M.G. Kuhn, and T. Moore. 2006. So near and yet so far: Distance-bounding attacks in wireless networks. Proceedings of European Conference on Security and Priacy in ad-hoc and sensor networks (ESAS). Google ScholarDigital Library
- Yuhua Jiao, Liping Ji, and Xiamu Niu. 2009. Robust Speech Hashing for Content Authentication. IEEE Signal Processing Letters (2009).Google Scholar
- Nikolaos Karapanos, Claudio Marforio, Claudio Soriente, and Srfjan Capkun. 2015. Sound-Proof: Usable Two-Factor Authentication Based on Ambient Sound. Proceedings of the 24th USENIX Security Symposium. Google ScholarDigital Library
- Z. Kfir and A. Wool. 2005. Picking Virtual Pockets using Relay Attacks on Contactless Smartcard. In First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05). Google ScholarDigital Library
- Constantinos Kolias, Georgios Kambourakis, Angelos Stavrou, and Jeffrey Voas. 2017. DDoS in the IoT: Mirai and other botnets. IEEE Computer Society (2017).Google Scholar
- Shrirang Mare, Andrés Molina Markham, Cory Cornelius, Ronald Peterson, and David Kotz. 2014. Zebra: Zero-effort Bilateral Recurring Authentication. In IEEE Symposium on Security and Privacy (S&P). Google ScholarDigital Library
- Peter R Marler and Hans Slabbekoorn. 2004. Nature's music: the science of birdsong. Academic Press.Google Scholar
- Chase Martin. 2017. 72% Want Voice Control In Smart-Home Products. Media Post -- https://www.mediapost.com/publications/article/292253/72-want-voicecontrol-in-smart-home-products.html?edition=99353. (2017).Google Scholar
- Dibya Mukhopadhyay, Maliheh Shirvanian, and Nitesh Saxena. 2015. All Your Voices are Belong to Us: Stealing Voices to Fool Humans and Machines. 20th European Symposium on Research in Computer Security.Google ScholarCross Ref
- National Institute of Standards and Technology. 2012. Recommendation for Applications Using Approved Hash Algorithms. NIST Special Publication 800- 107 - Revision 1. (2012).Google Scholar
- N.O. Tippenhauer, C. Popper, K.B. Rasmussen, and S. Capkun. 2011. On the requirements for successful gps spoofing attacks. Proceedings of the ACMConfrence on Computer and Communication Security (CCS). Google ScholarDigital Library
- N.O. Tippenhauer, H. Luecken, M. Kuhn, and S. Capkun. 2015. UWB Rapid-BitExchange system for distance bounding. Proceedings of the 8th ACM Conference on Security &Privacy in Wireless and Mobile Networks. Google ScholarDigital Library
- Bradley Reaves, Logan Blue, Hadi Abdullah, Luis Vargas, Patrick Traynor, and Thomas Shrimpton. 2017. AuthentiCall: Efficient Identity and Content Authentication for Phone Calls. In 26th USENIX Security Symposium (USENIX Security 17).Google ScholarDigital Library
- Maliheh Shirvanian and Nitesh Saxena. 2014. Wiretapping via Mimicry: Short Voice Imitation Man-in-the-Middle attacks on Crypto Phones. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. Google ScholarDigital Library
- Babins Shrestha, Maliheh Shirvanian, Prakash Shrestha, and Nitesh Saxena. 2016. The Sounds of the Phones: Dangers of Zero-Effort Second Factor Login based on Ambient Audio. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. Google ScholarDigital Library
- Hien Thi Thu Truong, Xiang Gao, Babins Shrestha, Nitesh Saxena, N Asokan, and Petteri Nurmi. 2014. Comparing and fusing different sensor modalities for relay attack resistance in zero-interaction authentication. In the Proceedings of 2014 IEEE International Conference on Pervasive Computing and Communications (PerCom). 163--171.Google ScholarCross Ref
- Tavish Vaidya, Yuankai Zhang, Micah Sherr, and Clay Shields. 2015. Cocaine Noodles: Exploiting the Gap Between Human and Machine Speech Recognition. 11th USENIX Workshop on Offensive Technologies (2015). Google ScholarDigital Library
- Guoming Zhang, Chen Yan, Xiaoyu Ji, Taimin Zhang, Tianchen Zhang, and Wenyuan Xu. 2017. DolphinAttack: Inaudible Voice Commands. Computer and Communications Security (CCS) (2017). Google ScholarDigital Library
Index Terms
- 2MA: Verifying Voice Commands via Two Microphone Authentication
Recommendations
A lightweight security scheme to defend against quantum attack in IoT-based energy internet
The internet of things (IoT)-based energy internet (EI) is an emerging technology that enables innovative and distributed energy networks. However, as merging technologies often create complex structures, securing IoT-based EI against cyber-attacks ...
A new provably secure certificateless signature scheme for Internet of Things
AbstractWith the rapid popularization of Internet of Things (IoT) in various fields, the security of the IoT has been widely concerned. Security authentication technology is the foundation of the security of the IoT. Certificateless signature, ...
Security of internet of vehicles in smart cities: authentication and confidentiality aspects
With the rapid development of smart devices, communication technologies, and network elements, vehicles become more autonomous, more connected, and more intelligent. Internet of vehicles (IoV) is a new area of the internet of things (IoT) equipped with ...
Comments