DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... ·...
Transcript of DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... ·...
![Page 1: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/1.jpg)
DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDS
Guoming Zhang, Chen Yan, Xiaoyu Ji, Tianchen Zhang, Taimin Zhang, and Wenyuan Xu Zhejiang University
![Page 2: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/2.jpg)
BACKGROUND- DOLPHIN ATTACK
An approach to inject inaudible voice commands at VCS by exploiting the ultrasound channel (i.e., f > 20 kHz) and the vulnerability of the underlying audio hardware
2
![Page 3: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/3.jpg)
BACKGROUND SPEECH RECOGNITION
• Allows machines or programs to identify spoken words and convert them into machine-readable formats
• It has become an increasingly popular human-computer interaction mechanism because of its accessibility, efficiency, and recent advances in recognition accuracy
3
![Page 4: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/4.jpg)
BACKGROUND - VCS
• Voice Controllable System
• Speech recognition combined with a system
Apple iPhone – Siri
Amazon Echo – Alexa
4
![Page 5: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/5.jpg)
VOICE CONTROLLABLE SYSTEM
5
![Page 6: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/6.jpg)
ATTACKS ON VCS
• Visiting a malicious site
• Drive-by-download attack
• Exploit device with 0-day vulnerabilities
• Spying
• Initiate video/phone calls to gain visual/sound of device surroundings
6
![Page 7: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/7.jpg)
ATTACKS ON VCS
• Injecting fake information
• Inject command to send fake texts/emails
• Publish fake posts
• Add fake events in calendar
• Denial of service
• Airplane mode
• Concealing attacks
• Dimming screen and lowering volume
7
![Page 8: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/8.jpg)
BACKGROUND - MICROPHONE
• Voice capture system that converts airborne acoustic waves to electrical signals
• Two main types
• Electret Condenser Microphone (ECMs)
• Micro Electro Mechanical System (MEMS)
8
![Page 9: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/9.jpg)
BACKGROUND SOUND WAVES
• Human audible
• 20 Hz < f <20 kHz
• Ultrasonic
• f > 20 kHz
9
![Page 10: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/10.jpg)
THREAT MODEL
• No target device access
• No owner interaction
• In vicinity, but not in use and draw no attention
• Inaudible voice commands will be used
• Ultrasounds
• Attacking equipment
• Speaker to transmit ultrasound
• Speaker is in the vicinity of target device
10
![Page 11: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/11.jpg)
FEASIBILITY ANALYSIS
• The fundamental idea of DolphinAttack
• To modulate the low-frequency voice signal (i.e., baseband) on an ultrasonic carrier before transmitting it over the air
• To demodulate the modulated voice signals with the voice capture hardware (VCH) at the receiver
• No control over VCH so modulated signals must be crafted so that it can be demodulated to the baseband signal using the VCH
11
![Page 12: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/12.jpg)
FEASIBILITY ANALYSIS
12
![Page 13: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/13.jpg)
FEASIBILITY ANALYSIS EXPERIMENTAL SETUP
13
![Page 14: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/14.jpg)
ATTACK DESIGN
• Case Study – Siri
• Siri Activation
• “Hey Siri” – in the tone of the user it is trained for
• Generate Activation
• Stolen phone (no owner)
• Attacker can obtain a few recordings of the owner
14
![Page 15: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/15.jpg)
ATTACK DESIGN
• TTS-based Brute Force
• Downloaded two voice commands from websites of these TTS systems
• ”Hey Siri” from Google TTS was used to train Siri
35 of 89 types of activation commands activate Siri – 39% 15
![Page 16: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/16.jpg)
ATTACK DESIGN
• 44 phonemes in English
• 6 are used in “Hey Siri”
• “he”, “cake”, “city”, “carry”
• “he is a boy”, “eat a cake”, “in the city”, “read after me”
• Both able to activate Siri successfully
16
![Page 17: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/17.jpg)
ATTACK DESIGN
• Voice commands are now generated
• Voice commands must be modulated onto ultrasonic carriers
• Lowest frequency of the modulated signal should be larger than 20 kHz to ensure inaudibility
17
![Page 18: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/18.jpg)
ATTACK DESIGN
• Voice Commands Transmitter
• A powerful transmitter with signal generator
• The portable transmitter with a smartphone
18
![Page 19: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/19.jpg)
ATTACK EXPERIMENT
• https://www.youtube.com/watch?v=21HjF4A3WE4
List of system and voice commands set to be tested
19
![Page 20: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/20.jpg)
20
![Page 21: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/21.jpg)
• Experiments of researchers show that the modulation depth is hardware dependent
• The modulation depth at the prime fc is when recognition attacks are successful and 100% accurate
• The minimum depth for successful recognition attacks on each device is shown on table
• Modulation depth m is defined as m = M /A where A is the carrier amplitude, and M is the modulation amplitude
• If m = 0.5, the carrier amplitude varies by 50% above (and below) its unmodulated level
21
![Page 22: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/22.jpg)
IMPACT OF LANGUAGE
activating SR systems -- initiating to spy on the user -- denial of service 22
![Page 23: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/23.jpg)
IMPACT OF BACKGROUND NOISE
23
![Page 24: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/24.jpg)
IMPACT OF ATTACK DISTANCE
24
![Page 25: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/25.jpg)
DEFENSES
• Hardware based
• Microphone Enhancement
• “a microphone shall be enhanced and designed to suppress any acoustic signals whose frequencies are in the ultrasound range. “
• Inaudible Voice Command Cancellation
• add a module prior to LPF to detect the modulated voice commands and cancel baseband
25
![Page 26: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/26.jpg)
DEFENSES
• Software based
• Use Supported Vector Machine to detect DolphinAttack
• A supervised learning model using an algorithm to analyze data for classification
26
![Page 27: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/27.jpg)
REALISTIC????
27
![Page 28: DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDSwebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 22. · BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice](https://reader034.fdocuments.us/reader034/viewer/2022052521/609e1c5fcabc4c52b66c1dba/html5/thumbnails/28.jpg)
CONCLUSION
• Inaudible attacks to SR systems
• Dolphin Attack leverages amplitude modulation
• Hardware and software based defenses
28