Short voice imitation man-in-the-middle attacks on Crypto Phones: Defeating humans and machines 1

Abstract

Establishing secure voice, video and text over Internet (VoIP) communications is a crucial task necessary to prevent eavesdropping and man-in-the-middle attacks. The traditional means of secure session establishment (e.g., those relying upon PKI or KDC) require a dedicated infrastructure and may impose unwanted trust onto third-parties. “Crypto Phones” (popular instances such as PGPfone and Zfone), in contrast, provide a purely peer-to-peer user-centric secure mechanism claiming to completely address the problem of wiretapping. The secure association mechanism in Crypto Phones is based on cryptographic protocols employing Short Authenticated Strings (SAS) validated over the voice medium.

The security of Crypto Phones crucially relies on the assumption that the voice channel, over which SAS is validated, provides the properties of integrity and source authentication. In this paper, we challenge this assumption, and report on automated SAS voice imitation man-in-the-middle attacks that can compromise the security of Crypto Phones in both two-party and multi-party settings, even if users pay due diligence and even if an automated software (voice biometrics systems) is used to detect voice manipulation.

The first attack, called the short voice reordering attack, builds arbitrary SAS strings in a victim’s voice by reordering previously eavesdropped SAS strings spoken by the victim. The second attack, called the short voice morphing attack, builds arbitrary SAS strings in a victim’s voice from a few previously eavesdropped sentences (less than 3 minutes) spoken by the victim. We design and implement our attacks using off-the-shelf speech recognition/synthesis tools, and comprehensively evaluate them with respect to both manual detection (based on a user study with 30 participants) and automated detection via a speaker verification tool. The results demonstrate the effectiveness of our attacks against three prominent forms of SAS encodings: numbers, PGP word lists and Madlib sentences. These attacks can be used by a wiretapper to compromise the confidentiality and privacy of Crypto Phones voice, video and text communications (plus authenticity in case of text conversations).

Keywords

VoIP Security Crypto Phone End-to-End Encrypted VoIP SAS protocols voice morphing attack voice biometrics

1. Introduction

Voice, video and text over IP (VoIP) systems are booming and becoming one of the most popular means of communication over the Internet. Today, VoIP is a prominent communication medium used on a variety of devices including traditional computers, mobile devices and residential phones, enabled by applications and services such as Skype, Hangout, and Vonage, to name a few.

Given the open nature of the Internet architecture, unlike the traditional PSTN (public-switched telephone network), a natural concern with respect to VoIP is the security of underlying communications. This is a serious concern not only in the personal space but also in the industrial space, where a company’s confidential and sensitive information might be at stake. Attackers sniffing VoIP conversations for fun and profit (e.g., to learn credit card numbers, and passwords) as well as wiretapping and surveillance of communications by the government agencies [14,22] are well-recognized threats. Prior research also shows the feasibility of launching VoIP man-in-the-middle (MITM) attacks [61], which can allow for VoIP traffic sniffing, hijacking or tampering.

In light of these threats, establishing secure – authenticated and confidential – VoIP communications becomes a fundamental task necessary to prevent eavesdropping and MITM attacks. To bootstrap end to end secure communication sessions, the end parties need to agree upon shared authenticated cryptographic (session) keys. This key agreement process should itself be secure against an MITM attacker. However, the traditional means of establishing shared keys, such as those relying upon a Public Key Infrastructure (PKI) or Key Distribution Center (KDC), require a dedicated infrastructure and may impose unwanted trust onto third-parties. Such centralized infrastructure and third-party services might be difficult to manage and use in practice, and may themselves get compromised or be under the coercion of law-enforcement, thereby undermining end to end security guarantees.

In this paper, our central focus is on “Crypto Phones” (Cfones), a decentralized approach to secure VoIP communications. Cfones promise to offer a purely peer-to-peer user-centric mechanism for establishing secure VoIP connections. A prominent real-world instance of a Cfone is Zfone [38,60], invented by Phil Zimmermann, now being offered as a commercial product by Silent Circle [42]. A Cfone involves executing a SAS (Short Authenticated Strings) key exchange protocol, such as [52,62], between the end parties. The SAS protocol outputs a short (e.g., 20-bit) string per party – if the MITM adversary attempted to attack the protocol (e.g., inserted its own public key or random nonces), the two strings will not match. These strings are then output, e.g., encoded into numbers or words [60], to users’ devices who then verbally exchange and compare each other’s SAS values, and accordingly accept, or reject the secure association attempt (i.e., detect the presence of MITM attack). Figure 1 depicts a traditional MITM attack scenario against Cfone.

Fig. 1.

A traditional MITM attack scenario for Cfone – attack is detected since SAS values do not match.

The security of Cfones crucially relies on the assumption that the human voice channel, over which SAS is communicated and validated (Alice and Bob), provides the properties of integrity and source authentication. In other words, it is assumed that the attacker (Mallory) is not able to insert a new desired SAS value in Alice’s and/or Bob’s voice.

In this paper, we systematically investigate the validity of this assumption. Our hypothesis is that, although impersonating someone’s voice in face-to-face arbitrarily long conversations can be significantly challenging, impersonating short voices (saying short SAS) in a remote VoIP setting may not be. Note that SAS needs to be a short string for the human to be able to copy, read and/or compare it. Indeed, we undermine Cfones’ security assumption underlying SAS validation, and report on SAS voice imitation MITM attacks that can compromise the security of Cfones, even if users were asked to pay due diligence (as in the current implementation of Cfones), and even if automated software is incorporated to verify the speaker (a potential replacement for human-based speaker verification). Figure 2 depicts an example scenario for our short voice imitation MITM attacks against Cfone.

Our contributions are four-fold:

Generalization and Formalization of Cfones: The secure connection establishment problem considered by Cfones, and the underlying solution approach, bear a close resemblance to the domain of “proximity-based device pairing”. Based on this parallel and wealth of prior work in device pairing, we provide a generalization and semi-formalization of Cfones, considering C-fones and adopting prior device pairing methods in the context of Cfones (Section 2).

Voice-Centric MITM Attacks Against Cfones: We present two types of short voice imitation MITM attacks against Cfones (Section 3). The first attack, called the short voice reordering attack, builds arbitrary SAS strings in a victim’s voice by reordering previously eavesdropped SAS strings spoken by the victim. The second attack, called the short voice morphing attack, builds arbitrary SAS strings in a victim’s voice from a few previously eavesdropped sentences spoken by the victim. We design and implement our reordering and morphing attacks using publicly available, off-the-shelf speech recognition and synthesis tools (Sections 4).

Evaluation of Attacks against Human-based Speaker Verification: We comprehensively evaluate our attack system against human-based speaker verification (the practice in current Cfones implementations) via a user study with 30 participants (Section 5). Our results demonstrate the effectiveness of our attacks against human-based speaker verification with respect to three prominently used SAS encodings: numbers, PGP word lists [60] and Madlib sentences [20]. Our human-base evaluation shows that people can distinguish a different speaker’s voice from a given familiar voice with about 80% success. However, they are not as successful in detecting our reordering and morphing attacks.

Evaluation of Attacks Against Machine-based Speaker Verification: We go a step further and evaluate our attacks against machine-based speaker verification (voice biometrics) systems (a natural choice for future Cfones implementations) (Section 6). The results of this evaluation shows that even the state-of-the-art machine verification systems fail to detect the attacked voices, although they can detect an original speaker’s voice and a different speaker’s voice accurately. Also, the evaluation shows that the attacked SAS is quantitatively more similar to the original SAS in case of the shorter SAS strings, and therefore shorter SAS strings are more difficult for the users and machines to detect compared to longer speech impersonation (shorter SAS is more prone to our attacks).

Our work shows that voice-based MITM attacks can be highly successful against Cfones whether human or machine speaker verification is used. These attacks may be deployed by a wiretapper to compromise the confidentiality and privacy of Cfones (plus authenticity in case of Cfones text conversations).

This paper is an extension of our ACM CCS 2014 paper [41], in which we investigated the security of Crypto Phones against automated voice imitation attacks with respect to human verifiers (i.e., human-based speaker verification). In this submission, we comprehensively extend this work to analyze the accuracy of machine-based speaker verification (voice biometrics) systems against this class of attacks. Using automated speaker verification systems in the context of Crypto Phones can be a natural near-future deployment scenario. Our work shows that even the state-of-the-art machine-based speaker verification systems can fail badly at detecting voice imitation attacks, thereby compromising the security and privacy of Crypto Phones sessions communications.

Fig. 2.

Our short voice imitation MITM attack scenario for Cfone – attack succeeds because of voice impersonation.

2. Background & formalization

2.1. Communication and threat model

A Cfone SAS protocol between Alice and Bob is based upon the following communication and adversarial model, adopted from [52]. The devices being associated are connected via a remote, point-to-point high-bandwidth bidirectional VoIP channel. An MITM adversary Mallory attacking the Cfone SAS protocol is assumed to have full control over this channel, namely, Mallory can eavesdrop and tamper with messages transmitted. However, an additional assumption is that Mallory can not insert voice messages on this channel that mimic Alice’s or Bob’s voice. In other words, the voice channel (over which the SAS values are validated) is assumed to provide integrity and source authentication. The latter assumption is what we are analyzing and challenging in this paper by performing both manual and automated speaker verification of synthesized/fake voice.

2.2. SAS protocols

A number of SAS protocols exist [11,33,52] in the literature that a Cfone implementation may adopt. SAS protocol is an authenticated key exchange protocol which allows Alice and Bob to agree upon a shared authenticated session key based on SAS validation over an auxiliary channel (such as voice channel). The protocol results in a short (e.g., 20-bit) string per party – matching strings imply successful secure association, whereas non-matching strings imply a MITM attack. These protocols limit the attack probability to $2^{- k}$ for k-bit SAS data. Once the SAS protocol and SAS validation process completes, all data between Alice and Bob is secured (e.g., using authenticated encryption) using the session key. The data may include the voice, text or video data.

2.3. SAS validation mechanisms

Compare-Confirm and Copy-Confirm are the two popular SAS checksum comparison methods to securely associate two devices A and B, which encode the SAS data into decimal digits [51], PGP words [60] or Madlib phrases (grammatically correct Madlib sentences) [20]. In Compare-Confirm, the SAS checksum is displayed on each party’s screen, they verbally exchange their respective checksums, and both accept or reject the connection by comparing the displayed and spoken checksum. In Copy-Confirm, one party reads the encoded checksum to the other party, who types it onto his/her device, and get notified whether the checksum is correct or not. In this work, we study unidirectional Compare-Confirm checksum comparisons, given this is the most commonly deployed approach on Cfones.

3. Our attacks & background

We first provide an overview of our Cfone voice imitation attacks. We then discuss why recognition of the identity of a speaker (especially from short speech) can be a complex task for human users. While human limitation in speaker verification may suggest its replacement with machine-based speaker verification, we further analyze the validity of such an automated speaker verification capability, which is introduced in this section.

Fig. 3.

High-level diagram of the attack.

3.1. Attack components

Our short voice imitation attacks involve the following components (our higher-level attack is depicted in Fig. 3).

Data Relaying: In a Cfone, first an unauthenticated SAS protocol performs a key exchange during session initiation or Real Time Protocol (RTP) media stream. This generates a session key, which will contribute to the encryption of the media during the Secure RTP (SRTP) session. So far the protocol is unauthenticated, therefore it is susceptible to a MITM [37] attack, and the session key might have already been revealed to Mallory. To ensure that Mallory was not present during unauthenticated key exchange, Alice and Bob verbally communicate the SAS over an SRTP session. In our attack, we assume that an MITM was performed during the unauthenticated key exchange protocol, and therefore Mallory has access to the plain audio during the conversation. Mallory is now interested in manipulating the SAS to hide her presence in unauthenticated phase of the protocol (i.e., non SAS communication). Mallory is not interested to alter any conversation except for the SAS dialogue (but of course interested in listening to all). Therefore, such conversations are simply relayed by Mallory, as is, to Alice and Bob.

Training Data Collection: Mallory needs to collect some data in advance to be used as the training set for the SAS voice impersonation attacks. For the reordering attack, Mallory needs to build a dictionary of distinct SAS words (e.g., digits for numeric, and words for PGP word list and Madlib SAS). In contrast, in morphing attack, she requires a few sentences to train the system to mimic the victim’s voice. To do so, Mallory can listen to several samples of the victim’s voice and collect words spoken by the victim from a previous VoIP session, or even the session under attack. Alternatively, Mallory can fool the victim into recording these training samples with social engineering trickeries (discussed in Section 7).

Keyword Spotting: To replace a valid SAS with a new desired SAS, Mallory needs to first look up the SAS in the first few conversations over SRTP, while Alice and Bob verbally exchange the SAS. She can simply relay any non-SAS dialogue, and only manipulate the SAS at the right time. Manually performing this look-up for the presence of SAS within arbitrary conversations might be tedious. An alternative is keyword spotting, which can be performed automatically. Keyword spotting deals with identifying a specific word in an utterance. Several keyword spotting methods have been proposed in literatures. The work of [47] provides a comparison of different keyword spotting approaches. Any of these approaches can be used by Mallory to detect the SAS values (numbers or words). In Section 4, we will describe our implementation of a keyword spotter based on off-the-shelf voice recognition systems.

Interruption and Insertion: Once the SAS dialogue is found, Mallory should “drop” it to make it unavailable to the other party, and replace it with a forged SAS (recall that our threat model allows dropping arbitrary packets). At this point, the voice MITM on SAS happens. The forged SAS is either derived from previously recorded voice of the victim saying the same SAS, or is constructed by making a collage from the victim’s speech (reordering attack), or is constructed by morphing victim’s voice signal (voice morphing attack). It is not implausible to imagine that Mallory could be a professional impersonator who can speak a thousand voices (“Rich Little”). Usually this is not the case. Hence, we rely on automated reordering attack and voice conversion techniques.

Voice Reordering: An attacker who wants to insert a forged SAS into the conversation can build a dictionary of all possible words, and impersonate a legitimate party by remixing SAS in his/her voice, which we call reordering attack. After collecting SAS atomic units, she can cut pieces of the legitimate audio signal and make an offline collage of SAS messages for future use. Another attack similar to reordering attack is a text-to-speech system which is specifically trained to produce synthesized voices only on a limited domain of vocabulary. An example of such a synthesizer is presented in [6].

Voice Morphing: Although a limited domain synthesizer may produce audio with almost the same quality as a human being, depending on the SAS encoding, pre-collecting all words is not always practical. And, if the attacker does not have all possible units of SAS in the dictionary, she can not produce remixing or a limited domain synthesizer. In this situation, Mallory can try to mimic victim’s voice. Attack could be successful if the adversary can “convert”, for example, his own voice to the target’s (victim’s) voice. We call this the voice morphing or conversion attack. There are several voice conversion techniques which change the characteristic of voice such as frequency, loudness, and timbre [44,45]. Other techniques find a relation between human articulators and voice features [6,49]. All these techniques work on a training system to adapt the system and can convert any utterance in Mallory’s own voice to the target voice even though such voice is not available in the training set. Mallory only needs to collect a few minutes worth of training data of the victim voice to perform this conversion. Later, she may produce an offline dictionary of all SASs in the victim’s voice.

3.2. Attacking human-based speaker verification

In an MITM attack against the SAS protocol of a Cfone, Mallory can insert herself into a session and gain full access to the data being transferred between the Alice and Bob. To do so, Mallory needs to hijack the session and impersonate each party. As discussed in Section 2.1, Cfone’s security assumption is that although Mallory has full control over the communication channel, it cannot insert voice messages that mimic Alice/Bob. Should this hypothesis be valid, the SAS value which is verbally exchanged on this channel can always authenticate Alice and Bob, foiling the MITM attack. A Cfone MITM attack seems relatively straight-forward against data communication (i.e., non verbal communication messages of the SAS protocol) [61], however, it is assumed that voice is unique to each individual, and therefore it is impossible to impersonate it. This assumption relies on special characteristic of speech which appears to make it difficult to impersonate.

Speech construction is a complex area. In simple terms, speech consists of words, each of which is a combination of speech sound units (phones). However, in reality, human voice is not as simple as this definition. Voice signal created at the vocal folds travels and gets filtered through vocal tract to produce vowels and consonants. Human body structure, vocal folds, articulators and human physiology and the style of speech provide each individual a potentially distinguished voice characteristic. Pitch, timbre and tone of speech are some of the features that may make a voice unique (for further information, we refer the reader to [4]). Therefore, the assumption that voice is unique, just like fingerprint or iris, does have some validity (although how much is a question explored in this paper).

Speech perception and recognition, the tasks that Cfone users have to perform while validating the SAS values, are even more complex than speech construction. There exists considerable literature on how speech is recognized [12,13,40]. Linguistics researchers have conducted various experiments and analyzed the capabilities of human speech recognition over different parameters, such as length of the samples, number of different samples, samples from familiar vs. famous people, and combinations thereof [40]. In an experiment, conducted in [31], the participants were asked to identify a voice when the sample string presented to them was “hello”, which resulted in a correct recognition rate of only 31%. However, when a full sentence was presented to the participants, the recognition rate increased to 66%. In the study of [21], a 2.5 minute long passage was presented as a sample to the participants, resulting in the average recognition accuracy of 98%. Many other experiments have been performed over the years evaluating human users’ performance in voice recognition [30]. They show that the shorter the sentence, the more difficult it is to identify the source. Spoofing attack against human-user have been studied in past [55] and showed to be detected with about 28% accuracy for GMM-based voice conversion using Festvox. However, these researches focus on longer audio samples whereas our application focus on short samples (e.g., two words).

Based on this literature survey, it appears that the task of establishing the identity of a speaker may be challenging for human users, especially in the context of short SAS, and serves as a weak-link in the security of the Cfone SAS communication.

3.3. Attacking machine-based speaker verification

Machine-based speaker recognition is a biometric technique of identifying a person by his speech. A speaker recognition task can be categorized into speaker verification and speaker identification. Speaker verification is the biometric task of authenticating a claimed identity by means of analyzing a spoken sample of the claimant’s voice. In this paper, we perform automatic speaker verification in a crypto phone application. To recognize a known target speaker, a speaker verification system goes through a prior speaker enrollment phase. In the speaker enrollment phase, the system creates a target model of a speaker from his/her speech samples so that they can be verified during the test phase in future.

A speaker verification system extracts certain spectral or prosodic features from a speech signal to enroll the model of the target speaker. The most common speaker modeling techniques include Template Matching, Nearest Neighbor, Neural Networks, Hidden Markov Models (HMMs) and Gaussian Mixture Models (GMMs).To improve and optimize speaker model training, session variables and joint factor analysis based score computations have been included in the Gaussian mixture based speaker modeling framework [25,26].

With the emergence of advanced speech synthesis and voice conversion techniques, the automatic speaker verification systems may be at risk like never before. Other than classical spoofing attacks like impersonation [8,32] or spoofing tricks using voice conversion, synthetic speech, artificial signals can be used to attack an automatic speaker verification system [56,57]. De Leon et al. have studied the vulnerabilities of advanced speaker verification systems to synthetic speech [15,16], and proposed possible defenses for such attacks. In [1], the authors have demonstrated the vulnerabilities of speaker verification systems against artificial signals. The authors of [28,58] have studied the vulnerabilities of text-independent speaker verification systems against voice conversion based on telephonic speech.

Noticeably, a key difference between our work and previous studies lies in the number/length and type of samples required to build a good voice conversion model. We use very less amount of training samples (e.g., 50–100 sentences of length 5 seconds each) for voice conversion collected using unprofessional voice recording devices such as laptops and smartphones. Such short-size audio samples giving rise to a victim’s voice sets a fundamental premise of how easily a person’s voice can be attacked or misused. While the prior papers do not seem to clearly specify the sizes of their voice conversion training data sets, they employ spectral conversion approaches which typically require a large amount of high-quality training data [24,48]. Another prominent difference from prior work [35] is that we are studying the potential for the automated speaker verification systems in detecting short speech as part of the SAS verbal exchanges. Being short detecting the speaker may be more challenging compared to long arbitrary speech considered in prior research [35].

While voice biometrics is a rich area, achieving robust detection rates (i.e., low false negatives and low false positives) is still a challenging problem. To prevent voice spoofing attacks, a number of countermeasures have been proposed [18,56]. However, existing voice biometrics system may not work well to thwart active voice impersonation and synthesis attacks [56]. Furthermore, given that the SAS challenge being authenticated in Cfones application is short (only few seconds worth of audio sample), it may not provide sufficient “knowledge” to the biometric system to extract features from the voice using which detection can take place.

We pursue a detailed analysis of the vulnerabilities of a speaker verification system against voice conversion. In this setting, the attack components are similar to human-based SAS verification (Section 3.1). The only difference is that we replace the human’s speaker verification role with a machine-based speaker verification system.

4. Attack design, implementation and performance evaluation

4.1. Attack design

Datasets Used: We used a variety of samples in different noise profiles, including samples recorded in professional recording environment as well as data collected using basic audio recorders. To have a good variety of recordings, we used three different datasets: First is the Arctic US English single speaker databases which has been constructed at the Language Technologies Institute at CMU. A detailed report on the structure and content of the database and the recording environment is available in [5]. The databases consist of around 1150 utterances include US English male and female experienced speakers. The second dataset is VoxForge, set up to collect transcribed speech for use with Free and Open Source Speech Recognition Engines. We picked US English male recordings with 16KHz sampling rate. Finally, we recorded two other voices using the basic audio recorder on an iPhone 5s, and two voices recorded by Audacity 2.0.5 on a Macbook Air laptop with internal microphone. Same as the VoxForge dataset, the narrators are not expert speakers. The Audio files in all our datasets are in WAV (Microsoft) 16 bit signed PCM format with a sampling rate of 16 KHZ in mono with single channel.

Keyword Spotting: For the purpose of keyword spotting, we used CMU’s Sphinx4 open source speech recognition system. Sphinx takes the voice waveform as input, splits it into utterances by silences, then recognizes it based on the best matching combination of words. First, it gets a feature vector of each frame and then uses models to match tit with the most probable feature vector in the model. So, it was important for us to adapt the models to fit our purpose and obtain accurate recognition results. There are some implementations of CMU Sphinx as keyword spotter. We changed Sphinx Audio Alignment code to transcribe and retrieve the time information for certain words. Once the appearance time of a SAS is captured, we snip that frame and add it as a single SAS to our SAS attack dictionary.

Reordering Attack: To implement the reordering attack, we developed a simple Java application that reads individual SAS words and produce any SAS combinations. Later, any of these combinations are picked and inserted in the voice MITM attack. Obviously, rather than building an offline dictionary of all combinations, remixing can be performed on the fly at the time of the attack. An alternative is a limited domain synthesizer speaking in the victim voice. Festival [6] limited domain synthesizers can produce voices very similar to the target voice, but its performance is optimized whenever all SAS atomic units are pre-recorded at least one time.

Morphing Attack: A text-to-speech tool that can speak with a victim’s voice might be suitable for a morphing attack. Such systems usually require a large collection of good quality training data to capture features, style, and articulation of the source voice. However, still after hours of training, voices generated by such systems may sound synthesized and unnatural.

An alternative is voice converters that convert a source voice to a target voice by mapping features between the two voices. The voice conversion framework we used in our morphing attack is CMU’s Festvox [7] voice transformation. Festvox gets trained by only a few sentences (less than three minutes) spoken in both the source (attacker or default Text-to-Speech, TTS voices) and the target (victim). Therefore it requires much less effort than other synthesizers. Once trained, a synthesized voice is built based on the target system. It can either act as a TTS tool in the victim’s voice or can be used to convert any utterance spoken by Mallory to the same utterance in the victim’s voice. Rather than converting properties of the voice, Festvox predicts the position of articulators from the speech signal and maps between the speakers and create voices in the target voice.

We trained the system with less than 50 sentences from the victim and an attacker voice, and converted all the possible SAS atomic units from the attacker voice to the victim voice. Using this system, we built an offline dictionary of all possible SAS combinations even though the SAS atomic units have not been spoken by the victim before. The offline dictionary can be queried at the MITM attack time to insert new forged SAS.

4.2. Attack implementation – Putting the pieces together

To evaluate the feasibility of our attack, we setup an RTP communication channel between Alice and Bob with Mallory acting as the router in the middle. We used the JMF framework to send audio captured from the built-in microphone of Alice’s computer to Mallory. Mallory receives the RTP stream and stores it in WAV format audio file. Duration of each audio file is set to be 3 seconds.

In the attack, Mallory’s initial goal is to search for the presence of a SAS in the regular conversation between Alice and Bob. To this end, after receiving the first audio file, our application on Mallory’s node calls CMU Sphinx keyword spotter to look up possible SAS in the captured audio files. We evaluated the performance of the attacking application with two different grammars. The first grammar looks up all possible SAS combinations. For example, a two word PGP word list SAS could be “dashboard liberty” which is included in our keyword spotter grammar. The second grammar just looks up some possible phrases that Alice and Bob might say just before confirming the SAS such as “SAS shown on my side is …”, or “My SAS is …”. The second grammar makes the keyword spotting faster but it is not completely predictable, as there are many ways that users can confirm their SASs.

We assume that SAS atomic units (e.g., digits or words) have already been forged and are stored on Mallory’s system for further use following the morphing or reordering attack discussed earlier in this chapter. The keyword spotter works in parallel with RTP receiver, audio files are stored and processed in a First-In-First-Out (FIFO) order. Those files containing SAS are replaced with same size (bit-wise) recording matching the MITM desired SAS, and files not containing the SAS are simply relayed to Bob.

4.3. Delay of the attack

The voice MITM attack naturally introduces a delay associated with the MITM attack on the non-voice, non-SAS channel communication, and with the voice impersonation on the SAS channel communication. Prior work [61] shows that MITM attack on non-voice channel can be efficiently performed and therefore we focus on the delay related to the SAS voice impersonation. The dominating delay in voice impersonation could be because of the keyword spotting procedures. Using simpler grammars (i.e. the SAS confirmation phrases) can improve the keyword spotting method. In offline keyword spotting (such as the one that we used), duration of each stored audio file can affect the performance, since we are running the RTP receiver and the keyword spotter in parallel. So if the duration of the stored audio file is less than the execution of keyword spotting method, no delay would be introduced by the keyword spotter. Moreover, real-time keyword spotters such as [19] might further improve the performance of the attack in such cases. Based on our preliminary analysis the delay introduced by the attack would be negligible.

5. Evaluating the attack against humans

In order to measure the effectiveness of our attacks against human-based speaker verification, we conducted a user study. In this section, we present the evaluation’s setup and its results.

5.1. Setup

We conducted a survey, approved by our University’s IRB, and requested 30 participants to answer several multiple choice and open-ended questions about the quality and (speaker) identity of certain recordings. We believe this number of participants is reasonable given that our hypothesis is a negative one (users cannot not perfectly verify the benign and attacked voice samples). This is in contrast to a positive hypothesis (to indicate the security and usability of the system), in which larger number of participants may be needed. However, larger number of participants in our study could have achieved a more concrete statistical analysis. There were two categories of questions: one related to the quality of the forged SAS (9 questions) and another related to speaker identification (9 questions).

Survey and Participant Details: The survey was created using the Question Pro online survey software. Participants were recruited by word of mouth and were told that the purpose of the study is to assess speech recognition quality. Following best practices in usable security research, we did not give details about the security purposes behind the survey in order to prevent explicit priming that may have biased their responses. However, in real-life, users should be warned that an incorrect SAS validation may harm the security of their communications. Our attack study was targeted towards average users, and therefore we can not deduce the performance of more or less security-aware users.

Quality Test: The quality test in the survey is similar to the Mean Opinion Score (MOS) test [23]. It consisted of 9 questions, each asks the participants to “listen to the SAS recording and rate the quality, in terms of genuineness (naturalness) on a scale of one to five (5: excellent; 4: good; 3: fair; 2: poor; 1: bad).” Each question presents two SAS recordings, that could be the original speaker recording in different noise profiles, reordered SAS or morphed/converted SAS. Different set of original recordings were played when subjecting the participants to reordered SAS and morphed SAS.

Speaker Identification Test: The speaker identification test contained 9 questions, each presents three sentences spoken by the same speaker and asks the participant to “listen to these three recordings so as to first get familiar with the voice. Then, the participants should listen to another two recordings (forged or real by the same or different speaker), and answer “yes” if they think any of the recordings are of the same person, and “No” if they think it is a different person, and “Maybe” if they can not make a distinction.” The participants were asked to “ignore any dissimilarity in the quality of the recordings”.

We collected different types of SAS recordings, including four 16-bit numerical SAS, eight PGP word lists and four Madlibs. We also presented four longer SASs including 32-bit PGP word list and 32-bit Madlibs. Generally, 32-bit numeric SAS is not secure against reordering attack (since in only one transmission of SAS, all 10 distinct digits might appear). Therefore 32-bit numeric SAS was not questioned.

5.2. Results

Table 1
Demographic Info: User Study

$N = 30$

Gender

Male 53%

Female 47%

Age

18–24 years 34%

25–34 years 62%

35–44 years 3%

Education

High school graduate, diploma or the equivalent 5%

Some college credit, no degree 7%

Bachelor’s degree 55%

Master’s degree 24%

Doctorate degree 9%

English as First Language

Yes 28%

No 72%

Hearing Impairment

Yes 10%

No 90%

	$N = 30$
Gender
Male	53%
Female	47%
Age
18–24 years	34%
25–34 years	62%
35–44 years	3%
Education
High school graduate, diploma or the equivalent	5%
Some college credit, no degree	7%
Bachelor’s degree	55%
Master’s degree	24%
Doctorate degree	9%
English as First Language
Yes	28%
No	72%
Hearing Impairment
Yes	10%
No	90%

Table 2

Mean (Std. Dev) ratings for original and attacked SAS

		Numeric	PGP Words	162-Bit Madlib	32-Bit Madib
1	Original SAS	4.00 (0.95)	3.05 (1.21)	4.15 (0.9)	3.28 (1.28)
2	Reordered SAS	3.67 (1.08)	3.23 (1.22)	3.64 (1.35)	2.68 (1.30)
3	Original SAS	3.51 (1.19)	3.74 (1.09)	3.34 (1.30)	2.56 (1.41)
4	Morphed SAS	2.33 (1.20)	3.18 (1.25)	2.75 (1.39)	2.26 (1.35)

Demographic Information: The participants in the study were mostly young (34% 18–24, 62% 25–34 and 3% 35–44 years) and well-educated (55% Bachelor’s, 24% Master’s, and 9% Doctorate degree), with almost equal gender split (53% Male and 47% Female). Table 1 summarizes the demographic information of the participants in the study. Such a sample is suitable for our study. If the study results indicate that it is hard for young and educated participants to detect our attacks, it may be harder for older and less educated (average) people. The survey took each participant about 15 minutes to complete.

Results for Quality Test: Table 2 summarizes the result for the quality test, showing the ratings provided by the participants assessing the quality of original and forged SAS recordings, averaged over the number of questions. We treated the answer options linearly (poor answer option as 1 and excellent as 5). As the table shows, in all the cases, participants rated original recordings between “fair” and “good” except for 32-bit Madlib, which is rated as “poor.” Participant rated reordered SAS as “fair” or “good” except for 32-bit Madlib, which is rated as “poor”. The results also show that they rated reordered SAS mostly between good and fair, similar to the rating for the original speaker’s voice. The participants rated morphed SAS somewhere between “poor” and “fair”. Interestingly none of the forged voices were rated as “bad” quality, while none of the original voices were rated as “Excellent” quality. No statistically significant differences emerged between the two types of ratings when tested with the Wilcoxon Signed-Rank. We observed a relatively high standard deviation in all answers that we believe originates from different interpretation each person has of the word “quality”. Answers to our open-ended question reveal that participants had a different definition of quality and genuineness, and therefore their quality rating is affected by their own definition. For example, participants mentioned “background noise”, “loudness”, “clarity”, and “speed” as their measure for quality. Only three participants rated the recordings based on “genuineness”, “naturalness”, and “machine generated versus human.”

We can see that the difference between the ratings for morphed SAS and original SAS is generally more than the difference between the ratings for reordered SAS and original SAS (only exception is 32-bit Madlibs). This suggests that reordering attack might generally be harder to detect for the participants than morphing attack. Note that for PGP words, participants rated the reordered SAS higher than the original recording. This implies that if the attacker collects enough data to perform the reordering attack on PGP words, the quality of the forged SAS may even be perceived better than the original one. However, the same was not true for Madlibs. Madlibs have a correct grammatical structure and therefore people usually read them following a sentence flow, which may make it difficult for the attacker to split and remix.

Results for Speaker Identification Test: We next evaluated the speaker identification test. Recall that in each question of the speaker identification test, participants first get familiar with a voice, then they are asked if any of the two subsequent SASs is spoken by the same person or not. In all of our calculations, we treated half of the uncertain answers (“Maybe”) as “Yes” and half of them as “No”.

Table 3

Results of the human-based evaluation for different attacks and SAS types. Row 1, column 1 shows FNR related to benign samples (instances that are not successful in detecting a familiar voice). Row 1, column 2–4 show FPR indicating effectiveness of each attack (naive different voice attack; reordering and morphing attacks). Higher FPR shows more powerful attack

	Original		Different	Morphed	Reordered		Original		Different	Morphed	Reordered
Numeric SAS voice						6-Bit PGP SAS voice
FNR	42.50%	FPR	14.52%	61.25%	87.50%	FNR	48.33%	FPR	17.71%	50.00%	68.75%
16-Bit Madlib SAS voice						Aggregated Rates on All SAS Types
FNR	49.17%	FPR	21.67%	51.39%	81.67%	FNR	44.58%	FPR	17.96%	50.58%	78.23%

We would like to determine how well the users perform at the tasks of speaker verification when listening to benign and attacked audio samples. We are interested in finding out how often users cannot correctly verify the voice of an original speaker reciting a short SAS. We use False Negative Rate (FNR) metric that represents the probability of rejecting such benign instances (not recognizing a legitimate familiar voice). The lower the FNR, the better the accuracy of the users in recognizing an original voice. Higher values show Cfone system does not work well under benign non-attack setting. Also, we are interested in determining how often users accept a different speaker’s voice, a morphed voice, or a reordered voice. We use False Positive Rate (FPR) metrics that denotes the probability of accepting such attacked instances (considering an attacked voice as a familiar voice). False acceptance implies the success of the attacker and a compromise of the security of Cfone session communications. Higher values represent that the attack is working and participants are not able to detect it.

Table 3 depicts our evaluation metrics corresponding to a SAS spoken by a “different” person (second column, representing the naive attack), a SAS generated by converting attacker voice to victim voice (third column), and a SAS spoken by the same person but reordered (fourth column). The results are shown for different type of SAS. Also shown is the overall aggregated result among all three types of SASs (the last matrix).

First of all, the table illustrates a relatively low FPR for SASs played in a “different voice” (row 2, column 2), which means when a different voice is presented, people successfully detect the difference with a high chance (about 80%). This demonstrates that if the (naive) attacker just inserts a different voice, it would be detected by the users with a high probability. This provides an important quantitative benchmark to compare the performance of attacks with.

The effectiveness of our voice imitation (morphing and reordering) attacks is represented by FPR (first row results for column 3 and 4). Although FPR is not very high (somewhere around 50–60%), it is important to look at the corresponding FNR of the Cfone system which shows that people are not accurate in recognizing the familiar voice saying SAS even in benign scenarios, and almost 50% of the times participants detect original voice in a different noise profile as fake voice. That is, even in non-attack scenario, participants make almost random guesses to decide whether the voice is real or fake. Thus, we can conclude that, under our attacks, users do not perform any better than a random guess in recognizing a forged SAS, and in fact the result is very similar to recognizing original voice in a different noise profile. In short, people are as successful as recognizing a forged SAS as they are successful in recognizing an original SAS in a different noise profile.

Similar to the quality test, the speaker identification test shows that reordering attack generally works better (e.g., has higher FPR) than the morphing attack. The performance metrics, however, do not indicate any significant differences in the way users may detect the attacks against different SAS types (numeric, PGP or Madlibs). They all seem almost equally prone to our attacks. In Section 3, we referred to the linguistic studies that demonstrate people are more successful in recognizing familiar voices when they are presented with long sentences rather than short sentences. Our experiment for short SAS confirms this insight.

Open-Ended Feedback: The open-ended feedback shows that majority of the participants found recognizing even a familiar voice difficult and confusing. Some of them believed the background noise in the recordings makes the recognition task difficult. Answers such as, “In noisy data, it is more difficult to compare the tracks.”, or “Challenging” and “Confusing” show that people find it difficult to recognize familiar voices especially in the presence of some background noise, which may be common in telephonic VoIP conversion.

Study Limitations: We had to examine two attack variants and three SAS types in the survey. Moreover, in our speaker identification questionnaire, participants had to listen to three recordings of a person (probably multiple times) to get familiar with the voice. Therefore, to keep the survey concise, we limited ourselves to play one or two samples of each attack. While ideally more samples would give a better judgment and more reliable statistical analysis, it would also make the survey long, and may reduce the user experience and accuracy. Furthermore, in quality test, results seem biased due to the definition of “quality”. The core idea was to rate “genuineness” of the recordings, while answers seemed affected by the parameters such as noise and loudness. Finally, all the samples were drawn from US English, while the first language of a majority of participants (72%) was not English. The familiarity with English might affect the result. To our knowledge, most Cfone applications are developed in English, so we did not perform a language-centric study.

6. Evaluating the attack against machines

In this section we investigate as to what extent a converted or morphed SAS (short authenticated string) spoken by a MITM attacker can be detected by an automatic speaker verification system.

6.1. Setup

Bob Spear Speaker Verification System: In our experiment, we have used Spear verification toolbox developed by Khoury et al. [27] The Spear system is a open source speaker verification tools that has been evaluated with standard datasets like Voxforge [54], MOBIO [34] and NIST SRE [36]. Also, it represents the state-of-the-art in speaker verification systems having implemented the current well-known speaker verification algorithms, which makes it a representative system to evaluate our attack.

The input to this system, a set of clips spoken by a number of speakers, is split into 3 sets namely: training set, development set (Dev set) and evaluation set (Eval set). The training set is used for background modeling. The development and evaluation sets are further divided into two subsets, namely, Enroll set (Dev.Enroll, Eval.Enroll) and Test set (Dev.Test, Eval.Test). Speaker modeling can be done using numerous modeling techniques, including, Universal Background Modeling in Gaussian Mixture Model (UBM-GMM) [39] and Inter-Session Variability (ISV) [53].

UBM-GMM is a modeling technique that uses the spectral features and then computes a log-likelihood of the Gaussian Mixture Models for background modeling and speaker verification [10,46]. ISV is an improvement to UBM-GMM, where a speaker’s variability due to age, surroundings, emotional state, etc., are compensated for, and it gives better performance for the same user in different scenarios [43,53].

After the modeling phase, the system is then tuned and tested respectively using the Dev.Test and Eval.Test sets from Development and Evaluation sets. All the audio files in the Dev.Test and Eval.Test sets are compared with each of the speaker models for development and evaluation sets, respectively, and each file is given a similarity score with respect to each speaker in the corresponding set. The scores of the Dev.Test files are used to set a threshold value. The scores of the Eval.Test set are then normalized and compared with this threshold, depending on which each file is assigned to a speaker model. If the audio file actually belong to the speaker to whom it got assigned, then the verification is successful otherwise the verification is not successful.

Dataset: For conducting this experiment, we used the audio samples from the Voxforge dataset [54]. We selected 10 users from the dataset for our experiment. Each sample in this dataset is approximately about 5 seconds long. From these samples, we chose 256 words for each speaker from the dataset. We used these words spoken by these speakers to generate audio clips that are 2-words (16 bits), 4-words (32 bits) and 6-words (48 bits) long. These SAS files of length 2, 4 and 6 words were approximately 1, 2 and 3 seconds long. This dataset consisted of 30 samples of each type of SAS (namely 2-words, 4-words, 6-words). Therefore the dataset had a total of 180 samples per speaker. These samples were fed to the Festvox voice conversion system for the Conversion attack. Thereafter, both the original and the converted samples were tested using the UBM-GMM and ISV algorithms in the Spear speaker verification system. The experimental setup for the different scenarios is explained here.

Different Speaker Attack Scenario: The original samples from the SAS Dataset were used in this scenario. The samples of all the other speakers other than the one tested for, were supplied as test samples for the algorithms.

Conversion Attack Scenario: The audio samples from the Voxforge dataset were used to generate the speaker models for the 10 Voxforge speakers in Spear. We chose one CMU-Arctic [5] speaker, who spoke all the CMU-Arctic samples. These Voxforge training samples and the same samples spoken by the CMU-Arctic speaker (posing as the attacker), were used to train the Festvox voice conversion system. After the Festvox system was trained, we fed into the system the SAS samples spoken by our CMU-Arctic attacker to get the converted SAS samples in the voices of the Voxforge speakers. These converted SAS samples of the Voxforge speakers were then used to test the fore-mentioned speaker verfication algorithms.

Table 4
Results of the SAS-based voice conversion attack against automated speaker verification system. Original Speaker column shows the rejection rate (in percentage) in the benign setting and the attack columns show the acceptance rate (in percentage) in the attack setting

Original Speaker Different Speaker Attack Conversion Attack

UBM-GMM 0.99 (1.60) 1.40 (2.03) 98.33 (2.83)

ISV 0.33 (0.70) 1.28 (1.48) 99.50 (1.12)

	Original Speaker	Different Speaker Attack	Conversion Attack
UBM-GMM	0.99 (1.60)	1.40 (2.03)	98.33 (2.83)
ISV	0.33 (0.70)	1.28 (1.48)	99.50 (1.12)

6.2. Results

Table 4 summarizes the results under the benign (original speaker) scenario and the conversion attack. We elaborate on and interpret the results more below.

Original Speaker Scenario: The results of this scenario are shown in the 2nd column of Table 4. This is a benign scenario in which, the Spear system is tested with the original SAS samples spoken by the Voxforge speakers. The results show that only on an average, 0.99% and 0.33% of the original samples were rejected by the UBM-GMM and ISV algorithms with less a standard deviation of less than 2. Therefore, these results show that these algorithms perform very well in identifying the original speaker samples.

Different Speaker Attack Scenario: The results of this scenario are shown in the 3rd column of Table 4. This is an attack scenario to test how well the algorithms perform in identifying one speaker from another speaker. The results show that on an average, only 1.40% and 1.28% of the attack samples were accepted for UBM-GMM and ISV algorithms respectively. These results show that our speaker verification algorithms and the Spear fare very well and are secure against this naive attack scenario.

Conversion Attack Scenario: The results of this scenario are shown in the 4th column of Table 4. This attack scenario tests the performance of the UBM-GMM and ISV algorithms in identifying converted SAS samples from the original ones. The results show that on an average, 98.33% and 99.5% of the converted samples were accepted in case of UBM-GMM and ISV algorithms with a standard deviation of 2.83 and 1.12 respectively. Hence, our system fails significantly in detecting the converted SAS samples.

Effect of SAS size: In our experiment, we test the Spear system for varied length SAS made up of words chosen from the CMU-Arctic Database. The speaker verification algorithms does not take into account the bit-length of the input files, but considers their duration. The files less than 2 seconds could not be processed by the system as it could not get enough features from those files to make a meaningful judgement about the speaker identity. This could be the limitation of the Spear system (or even other speaker verification systems) for short SAS samples. So, we do not take into further consideration the 2 words long SAS files. When the files were longer than or equal to 2 seconds, the system could extract enough features from those files, and samples with a better quality of conversion got accepted more (irrespective of their size).

6.3. Automated quality test design and results

In speech and speaker recognition systems, it is common to extract a multi-dimensional vector of components of the underlying audio to identify the linguistic features of the signal. We used Mel-Cepstral Distortion (MCD) to measure the similarity between a forged (converted) SAS and an original SAS by calculating the Euclidean distance between feature vector of the forged SAS and that of the original SAS. A similar strategy has been used in several speech conversion and synthesis systems [17,29] to measure the distance between a synthesized and an original version of the same utterance. If the difference between feature vector of the original SAS and the forged SAS is minimized, the forged voice is close to the original voice and detecting the attack would be inherently difficult. Lower MCD shows better conversion (a forged SAS is so similar to the original one that it is not easy to distinguish the two).

To compute MCD, we extract features of the forged SAS (fSAS) built from attack engine (morpher) and features of the original SAS (oSAS) spoken by the victim, and calculate the difference between the two. MCD computation is defined in Equation (1), where $v_{d}^{fSAS}$ denotes the dth MCEP2

²
Weighted average of the magnitudes of cepstral peaks.

of fSAS and

v_{d}^{oSAS}

denotes the dth MCEP of oSAS. In TTS applications, typical parameters are 25 dimensional mel-frequency scaled cepstral coefficients (d between 0 to 24). The 0th dimension represents the overall signal power (loudness). Therefore, to eliminate the effect of speaker loudness, MCD has been calculated for

d = 1, \dots, 24

\begin{matrix} (1) & MCD (v^{fSAS}, v^{oSAS}) = \frac{10}{ln (10)} \sqrt{2 \sum_{d = 1}^{24} {(v_{d}^{fSAS} - v_{d}^{oSAS})}^{2}} . \end{matrix}

In our automated quality test, we trained the voice conversion engine to convert between pairs of 8 different male and female speakers from our voice dataset (Section 4) representing victims and attackers. A combination of 20 different conversions was built. To first test the effect of the training set size on the conversion performance, we trained the system with 50, 100, and 200 sentences. We noticed an average MCD improvement of only 1.6% by increasing the size of the training set from 50 to 100 and an average MCD improvement of only 1.1% by increasing the size of the training set from 100 to 200. This means that increasing the training set size beyond 50 sentences does not significantly improve the performance of conversion. As a result, in the rest of the experiments, we use 50 first sentences of Arctic dataset in the training phase. The average duration of each utterance of the training set is 5 seconds, and the average duration of the whole set of 50 sentences is 2 minutes and 30 seconds. This means that in order to train a system to speak in the victim’s voice, we are required to collect less than 3 minutes of her voice. This is quite short and therefore training does not seem to impose a challenge for the attacker in the conversion process.

Table 5 presents the results of our objective evaluation. We present the results of only 4 conversions between same genders and different genders. The other 16 conversions yielded similar results and are not reported here due to space constraints.

Table 5

Quality test evaluation results for the morphing attack

			Source (Attacker)	Female 1			Male 1			Female 2			Male 2

Row	Utterances	Conversion Name	Target (Victim)	Female 2			Male 2			Male 2			Female 1
1	First 50 Sentences of Arctic	Single Speaker	MCD Before Conversion	5.28			5.65			5.65			6.15
2		Single Speaker	MCD After Conversion	2.11			2.34			2.34			2.39
3		Source to Target	MCD Before Conversion	7.27			8.28			8.94			9.41
4		Source to Target	MCD After Conversion	4.64			4.91			4.97			4.96

5			SAS Size (bits)	20	80	128	20	80	128	20	80	128	20	80	128

6	20 SASs of Different Sizes	Single Speaker	MCD After Conversion	1.95	1.97	2.01	2.17	2.21	2.27	2.17	2.21	2.27	2.23	2.31	2.34
7	20 SASs of Different Sizes	Source to Target	MCD After Conversion	4.18	4.33	4.44	4.53	4.61	4.68	4.72	4.77	4.86	4.45	4.63	4.70

To obtain a measure of how good the conversion process is, we first performed a conversion between utterances of a single speaker (the victim) spoken and recorded in two different noise profiles. We call this the “Single Speaker” conversion. Rationally, such conversion would gain the optimum conversion result. Row 1 of Table 5 shows MCD between the two set of 50 recordings (in different noise profiles) of the victim before the conversion, averaged across all recordings, which can be used as a reference of what MCD values are acceptable. Row 2 of the table shows the result of conversion. The Single Speaker conversion gives us a baseline MCD to measure the quality of other conversions from attacker voice to the same speaker as the victim.

Row 3 depicts the MCD between an utterance in the training dataset spoken by the source and the same utterance spoken by the target before the conversion, averaged across all utterances. This parameter characterizes the actual similarity/dissimilarity between the attacker and victim voice before conversion. Recall that we used 50 utterances spoken by the source and the target to train the system to convert from attacker to the victim. We refer to this conversion as the “Source to Target” conversion. Row 4 shows result of this conversion. By comparing row 3 and row 4, it can be seen that after conversion, the distance between source and converted voice becomes less than the initial distance. This demonstrates the effectiveness of the converter.

Comparing the result of Single Speaker and Source to Target conversions (row 2 and 4), we can observe that the MCD between converted voice and the original voice is higher in the Source to Target conversion (which is the real attack scenario) than the Single Speaker conversion (the optimum conversion result). This is intuitive. However, by comparing row 1 and 4, it is interesting to note that the MCD values after conversion are slightly less than MCD values of single speaker before conversion, which suggests that Source to Target conversion produces a voice that is comparable to the voice of the victim in a different noise profile.

Subsequently, we tested the performance of the converter for the purpose of our attack (i.e. SAS morphing). Here, we used the trained system (described in the above two paragraphs) to convert 60 utterances from our potential attackers to victims representing 20 short, medium and long SAS with size of 20 bits, 80 bits and 128 bits respectively. Average duration of saying short, medium and long SAS is approximately 1.2, 2.1 and 4.4 seconds respectively. Row six of Table 5 shows the distance between the converted SAS (resulted from Single Speaker converter) and the original SAS (spoken by the victim). Last rows show the average distance between the forged SAS (resulted from Source to Target converter) and the original SAS (spoken by the victim).

For all pairs of speakers, we see a clear pattern of increase in MCD with increase in the SAS size. This suggests that the quality of SAS conversion degrades as the SAS size increases, which may make longer SASs more detectable than shorter ones. Comparing rows six and seven, we see that the quality of SAS conversion degrades only slightly when source and target are different speakers (similar to the case of non-SAS samples as discussed above).

Unlike the morphing attack that maps between features of the attacker and the victim, in reordering, filtering characteristics of vocal cords of the speaker are not changed. As the name suggests, reordering simply remixes the ordering of words or digits. Therefore, unlike morphing attack, no new voice is generated in reordering and in fact the attacked voice has the same features as that of the victim’s voice [9,50]. Hence, we did not conduct automated quality test on the reordered SASs.

7. Discussion and summary

Evaluation Summary: Our human-based evaluation shows that in a non-attack scenario, almost only 50% of the times participants can detect familiar voices and 50% of the times they can not detect familiarity of a voice (played in a different background noise). This means that participant are making almost random guesses in normal, benign situation. However, people can distinguish a different voice from a familiar voice with about 80% success, and therefore a naive attack, where the attacker simply inserts her own voice (or that of another user), is not successful, and more complex attack is needed. This is where our reordering and morphing attacks are a good candidates, as 50–80% of observed instances can not detect such attacks, which means that, in the worst case, our attack works as good as the non-attack condition. Unlike our evaluation, in real-life, users may not pay due diligence when asked to validate the identity of the other speaker (secondary task) when making a call (primary task). It would result in higher true negatives (i.e., fewer rejections in non-attack cases, or better usability) than what we observed, but would also lead to higher false positives (i.e., weaker security) especially when a reordered/morphed SAS is inserted. In other words, the Cfone system may be more usable in practice but less secure against our attacks. Both evaluations support that a reordered SAS is more effective for the attacker (harder to detect) compared to a morphed SAS.

The attack against machine-based speaker verification shows that although the machine is successful in detecting a different voice with at accuracy of around 99%, it cannot distinguish between a morphed voice and an original speaker’s voice (the average rate of accepting a morphed voice is around 99%). Our automated quality test shows that the distortion between the original SAS and morphed SAS increases with the size of the SAS. This supports our hypothesis that short voice impersonation is easier for the attacker (harder for the users to detect). We also observed that if attacker voice is similar to the victim voice, the result of conversion would be better.

Acquiring Training Data: Our attacks require collecting prior audio samples from the victim. While the reordering attack requires previously spoken SASs to build a dictionary, the morphing attacks only require a few previously spoken sentences from which victim’s voice features can be derived. Building training sets for the latter case is quite easy. The attacker can eavesdrop prior unprotected VoIP sessions of a victim. Since only a few sentences are needed, eavesdropping only a few minutes of conversation would be sufficient. The attacker can also record such samples from a victim by being physically close to the victim while the victim is talking in a public place or giving a public presentation.

As far as building training sets for reordering attack is concerned, the difficulty depends on the underlying SAS encoding type. While eavesdropping all (10) digits for numeric SAS is relatively easy (e.g., waiting for the victim to speak phone numbers, zip codes, and other numeric utterances), learning all PGP words or Madlib words might be challenging given these words may not be commonly spoken in day to day conversations. However, it is possible for the attacker to use social engineering techniques to address this challenge. Number of possibilities exists to this end. For example, the attacker can create crowd sourcing tasks on online websites (e.g., freelancer or Amazon Mechanical Turk) which asks the users to auditize proses which contain all PGP words or Madlib phrases. Similarly, the attacker can create audio CAPTCHAs, and use them on its own websites or other compromised sites, that challenge the users to auditize words from books (similar in spirit to the idea of reCAPTCHAs).

Moving forward, we believe that our work also raises a more broader and general threat of “voice privacy.” The malicious actors may use various approaches to record someone’s voice samples and use these samples to compromise the security and privacy in another application (such as Cfones or voice recognition systems). While people seem quite concerned about their “visual privacy” in today’s digital world (e.g., someone taking their picture), they may not consider their voice to be so sensitive (e.g., people often talk out loud in a restaurant and even talk to strangers). Given that audio sensors are very common and do not require explicit efforts from an attacker to record audio (unlike camera, for example), we believe that voice privacy can have several implications that may need careful attention.

Potential Defenses and Challenges: In light of our attacks against Cfones, a natural question is what can be done to improve the security of the underlying SAS validation process. One possibility is to rely upon multiple preceptory channels rather than just audio. For example, users may be asked to pay attention to the video (assuming video is available) while validating verbal SAS. In other words, if the attacker performs the voice impersonation against SAS, users may be able to detect this attack by looking at and analyzing the accompanying video of the communicating party – the lip movement of the person stating the SAS would not match with the spoken SAS. This could serve as a potentially useful defense to our attacks. However, it may present significant challenges in practice. First, the users may not be in a position to look at the video or may simply not pay enough attention to spot the lack of audio-visual SAS synchronization. Second, it is not hard to imagine that the attacker can manipulate the video packets in addition to the audio packets so the spoken audio matches with the video stream. The video impersonation attacks are feasible due to the same underlying weakness of the VoIP channel with respect to manipulation as the audio attacks. There exists some prior work that suggests image/video morphing attacks are feasible [59]. The need to influence both audio and visual channels at the same time may increase the complexity of the attack, however.

Yet another potential solution to thwart the voice impersonation attacks against Cfones is to perform the SAS validation over an auxiliary channel that can be more resistant to voice and packet manipulation. PSTN communication is believed to offer such properties, and, when available, may be used to secure VoIP communication. For example, if the communicating devices support both VoIP capability (Internet connection) and PSTN connectivity (e.g., cellular connection), the non-SAS communication can take place over the former and SAS validation can take place over the latter. This mechanism is suitable for mobile phones – the Cfone app switches to a PSTN call when SAS comparison is performed by the user (Android, e.g., allows making VoIP and cellular calls simultaneously). A limitation of this defense mechanism is that it is only applicable to devices which have PSTN capability (such as cell phones).

An independent defense could be increasing the dictionary size to make reordering difficult, and to reduce the efficiency of automatic keyword spotting. Moreover, if the dictionary is not fixed, reordering will be impossible. An idea suggested in [2] is to choose words from a large dynamic space (e.g., front pages of today’s newspapers). The dictionary can be chosen by users, or programmatically during key exchange. However, the security and user experience of this approach needs further investigation.

Another possibility is to employ the approach proposed in [3], which identifies and characterizes the network route traversed by the voice signal and creates a detailed fingerprints for the call source. For VoIP connection, this method is based on network characteristics, and therefore may only be effective if the attacker and the victim reside in different networks.

8. Conclusions

Crypto Phones aim to solve an important problem of establishing end-to-end secure communications on the Internet via a purely peer-to-peer mechanism. However, their security relies on the assumption that the voice channel, over which short checksums are validated by the users, provides integrity/authenticity. We challenged this assumption, and developed two forms of short voice impersonation attacks, reordering and morphing, that can compromise the security of Crypto Phones. Our evaluation demonstrate the effectiveness of these attacks under both human-based speaker verification (current deployment scenario) and machine-based speaker verification (future deployment scenario), when contrasted with a trivial attack where the attacker impersonates with a totally different speaker’s voice. We suggested potential ways and associated challenges to improve the security of Crypto Phones against the voice MITM attacks. A comprehensive future investigation is needed to develop a viable mechanism to thwart such attacks. Currently, it seems that humans perform better than machines in detecting the attacks presented. It is possible that machine capability to detect the attacks may improve with the advancement in speech processing, but it is unlikely that human capability may improve.

References

Alegre,

Vipperla,

Evans and

Fauve, On the vulnerability of automatic speaker recognition to spoofing attacks with artificial signals, in: European Signal Processing Conference, August, 27–31, 2012, Bucharest, Romania (EUSIPCO 2012), 2012.

Asokan,

Chan and

Krishnamurthi, Authenticating security parameters, February 8, 2007, US Patent App. 11/672,900.

V.A.

Balasubramaniyan,

Poonawalla,

Ahamad,

M.T.

Hunter and

Traynor, PinDr0p: Using single-ended audio features to determine call provenance, in: Proceedings of the 17th ACM Conference on Computer and Communications Security, ACM, 2010.

Benesty,

Mohan Sondhi and

Huang, Springer Handbook of Speech Processing, Springer, Berlin, 2008. doi:10.1007/978-3-540-49127-9.

A.W.

Black and

Kominek, CMU ARCTIC databases for speech synthesis, Technical report, Language Technologies Institute, Carnegie Mellon University, USA, 2003, https://www.lti.cs.cmu.edu/sites/default/files/CMU-LTI-03-177-T.pdf.

A.W.

Black and

K.A.

Lenzo, Limited domain synthesis, Technical report, DTIC document, 2000.

A.W.

Black and

Toth, TRANSFORM: Flexible voice synthesis through articulatory voice transformation, n.d., http://festvox.org/transform/transform.html.

Blomberg,

Elenius and

Zetterholm, Speaker verification scores and acoustic analysis of a professional impersonator, in: FONETIK, 2004.

Bollepalli, Voice conversion uning articulatory features, Master’s thesis, International Institute of Information Technology Hyderabad, 2012.

10.

Burget,

Matejka,

Schwarz,

Glembek and

Cernocky, Analysis of feature extraction and channel compensation in a GMM speaker recognition system, IEEE Transactions on Audio, Speech, and Language Processing 15(7) (2007), 1979–1986. doi:10.1109/TASL.2007.902499.

11.

Cagalj,

Capkun and

Hubaux, Key agreement in peer-to-peer wireless networks, Proceedings of the IEEE 94(2) (2006), 467–478. doi:10.1109/JPROC.2005.862475.

12.

J.P.

CampbellJr., Speaker recognition: A tutorial, Proceedings of the IEEE 85(9) (1997), 1437–1462. doi:10.1109/5.628714.

13.

Chevillet,

Riesenhuber and

J.P.

Rauschecker, Functional correlates of the anterolateral processing hierarchy in human auditory cortex, The Journal of Neuroscience 31(25) (2011), 9345–9352. doi:10.1523/JNEUROSCI.1448-11.2011.

14.

Coldewey, NSA and all major intelligence agencies can listen in to encrypted cell phone calls, 2013, http://www.nbcnews.com/tech/security/nsa-can-listen-encrypted-phone-calls-theyre-not-only-ones-f2D11744226.

15.

P.L.

De Leon,

Pucher and

Yamagishi, Evaluation of the vulnerability of speaker verification to synthetic speech, 2010.

16.

P.L.

De Leon,

Raj Apsingekar,

Pucher and

Yamagishi, Revisiting the security of speaker verification systems against imposture using synthetic speech, in: 2010 IEEE International Conference on Acoustics Speech and Signal Processing (ICASSP), IEEE, New York, 2010, pp. 1798–1801. doi:10.1109/ICASSP.2010.5495413.

17.

Desai,

Veera Raghavendra,

Yegnanarayana,

A.W.

Black and

Prahallad, Voice conversion using artificial neural networks, in: IEEE International Conference on Acoustics, Speech and Signal Processing, 2009.

18.

Evans,

Yamagishi and

Kinnunen, Spoofing and countermeasures for speaker verification: A need for standard corpora, protocols and metrics, IEEE Signal Processing Society Speech and Language Technical Committee Newsletter (2013).

19.

Ganapathiraju and

A.N.

Iyer, Method and system for real-time keyword spotting for speech analytics, July 20 2012, US Patent App. 13/554,937.

20.

M.T.

Goodrich,

Sirivianos,

Solis,

Tsudik and

Uzun, Loud and clear: Human-verifiable authentication based on audio, in: International Conference on Distributed Computing Systems, 2006.

21.

Hollien,

Majewski and

E.T.

Doherty, Perceptual identification of voices under normal, stress and disguise speaking conditions, Journal of Phonetics (1982).

22.

Infosecurity, Microsoft expands encryption to foil government snooping, 2013, http://www.infosecurity-magazine.com/news/microsoft-expands-encryption-to-foil-government/.

23.

ITUT Rec, P.800: Methods for subjective determination of transmission quality, Union, Geneva, International Telecommunication, 1996, https://www.itu.int/rec/T-REC-P.800-199608-I/en.

24.

Kain and

M.W.

Macon, Spectral voice conversion for text-to-speech synthesis, in: Proceedings of the 1998 IEEE International Conference on Acoustics, Speech and Signal Processing, 1998.

25.

Kenny,

Boulianne,

Ouellet and

Dumouchel, Joint factor analysis versus eigenchannels in speaker recognition, IEEE Transactions on Audio, Speech, and Language Processing 15(4) (2007), 1435–1447. doi:10.1109/TASL.2006.881693.

26.

Kenny,

Ouellet,

Dehak,

Gupta and

Dumouchel, A study of inter-speaker variability in speaker verification, in: Acoustics, Speech and Signal Processing, IEEE Transactions on, 2008.

27.

Khoury,

El Shafey and

Marcel, Spear: An open source toolbox for speaker recognition based on Bob, in: Proceedings of the 39th IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2014, pp. 155–1659. doi:10.1109/ICASSP.2014.6853879.

28.

Kinnunen,

Z.-Z.

Wu,

K.A.

Lee,

Sedlak,

E.S.

Chng and

Li, Vulnerability of speaker verification systems against voice conversion spoofing attacks: The case of telephone speech, in: Proceedings of the 2012 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), IEEE, 2012, pp. 4401–4404. doi:10.1109/ICASSP.2012.6288895.

29.

Kominek,

Schultz and

A.W.

Black, Synthesizer voice quality of new languages calibrated with mean mel cepstral distortion, in: Proc. Inte. Workshop Spoken Lang. Technol. for Under-Resourced Lang. (SLTU), 2008.

30.

Kreiman and

Sidtis, Foundations of Voice Studies: An Interdisciplinary Approach to Voice Production and Perception, John Wiley & Sons, 2011.

31.

Ladefoged and

Ladefoged, The ability of listeners to identify voices, UCLA Working Papers in Phonetics 49 (1980).

32.

Y.W.

Lau,

Wagner and

Tran, Vulnerability of speaker verification to voice mimicking, in: Proceedings of 2004 International Symposium on Intelligent Multimedia, Video and Speech Processing (ISIMP 2004), IEEE, New York, 2004, pp. 145–149.

33.

Laur and

Nyberg, Efficient mutual data authentication using manually authenticated strings, in: Cryptology and Network Security (CANS), 2006.

34.

Mobio, n.d., https://www.idiap.ch/dataset/mobio.

35.

Mukhopadhyay,

Shirvanian and

Saxena, All your voices are belong to us: Stealing voices to fool humans and machines, in: Computer Security – ESORICS, 2015.

36.

NIST, NIST SREs, n.d., http://www.itl.nist.gov/iad/mig//tests/spk/.

37.

Petraschek,

Hoeher,

Jung,

Hlavacs and

W.N.

Gansterer, Security and usability aspects of man-in-the-middle attacks on ZRTP, J. UCS 14(5) (2008).

38.

PGPfone , PGPfone – Pretty Good Privacy Phone, n.d., http://www.pgpi.org/products/pgpfone/.

39.

D.A.

Reynolds,

T.F.

Quatieri and

R.B.

Dunn, Speaker verification using adapted Gaussian mixture models, in: Digital Signal Processing, 2000.

40.

Rose, Forensic Speaker Identification, CRC Press, 2003.

41.

Shirvanian and

Saxena, Wiretapping via mimicry: Short voice imitation man-in-the-middle attacks on crypto phones, in: Proceedings of the ACM Conference on Computer and Communications Security, 2014.

42.

SilentCircle , Silent circle – Private communications, n.d., https://silentcircle.com/.

43.

Stolcke,

S.S.

Kajarekar,

Ferrer and

Shrinberg, Speaker recognition with session variability normalization based on mllr adaptation transforms, IEEE Transactions on Audio, Speech, and Language Processing (2007).

44.

Sundermann,

Hoge,

Bonafonte,

Ney,

Black and

Narayanan, Text-independent voice conversion based on unit selection, in: Acoustics, Speech and Signal Processing (ICASSP), 2006.

45.

Sundermann,

Ney and

Hoge, VTLN-based cross-language voice conversion, in: 2003 IEEE Workshop on Automatic Speech Recognition and Understanding (ASRU’03), 2003.

46.

Suvarna Kumar,

K.A.

Prasad Raju,

Rao CPVNJ and

Satheesh, Speaker recognition using GMM, International Journal of Engineering Science and Technology 2(6) (2010), 2428–2436.

47.

Szoke,

Schwarz,

Matejka,

Burget,

Karafiát,

Fapso and

Cernocky, Comparison of keyword spotting approaches for informal continuous speech, in: Workshop on Multimodal Interaction and Related Machine Learning Algorithms, 2005.

48.

Toda,

A.W.

Black and

Tokuda, Spectral conversion based on maximum likelihood estimation considering global variance of converted parameter, in: Proc. ICASSP, Vol. 1, 2005.

49.

Toda,

A.W.

Black and

Tokuda, Voice conversion based on maximum-likelihood estimation of spectral parameter trajectory, IEEE Transactions on Audio, Speech, and Language Processing 15(8) (2007). doi:10.1109/TASL.2007.907344.

50.

A.R.

Toth and

A.W.

Black, Using articulatory position data in voice transformation, ISCA SSW6 (2007).

51.

Uzun,

Karvonen and

Asokan, Usability analysis of secure pairing methods, in: Financial Cryptography and Data Security, 2007.

52.

Vaudenay, Secure communications over insecure channels based on short authenticated strings, in: Advances in Cryptology – CRYPTO, 2005.

53.

Vogt and

Sridharan, Explicit modelling of session variability for speaker verification, Computer Speech & Language (2008).

54.

Voxforge, n.d., http://www.voxforge.org/.

55.

Wester,

Wu and

Yamagishi, Human vs machine spoofing detection on wideband and narrowband data, in: Sixteenth Annual Conference of the International Speech Communication Association, 2015.

56.

Wu,

Evans,

Kinnunen,

Yamagishi,

Alegre and

Li, Spoofing and countermeasures for speaker verification: A survey, Speech Communication 66 (2015), 130–153. doi:10.1016/j.specom.2014.10.005.

57.

Wu,

Khodabakhsh,

Demiroglu,

Yamagishi,

Saito,

Toda and

King, Sas: A speaker verification spoofing database containing diverse attacks, in: 2015 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), IEEE, 2015, pp. 4440–4444. doi:10.1109/ICASSP.2015.7178810.

58.

Wu and

Li, Voice conversion and spoofing attack on speaker verification systems, in: Signal and Information Processing Association Annual Summit and Conference (APSIPA), 2013 Asia-Pacific, 2013.

59.

Yang,

Shechtman,

Wang,

Bourdev and

Metaxas, Face morphing using 3D-aware appearance optimization, in: Proceedings of Graphics Interface (GI’2012), ACM, 2012, pp. 93–99.

60.

Zfone, The Zfone project, n.d., http://zfoneproject.com/.

61.

Zhang,

Wang,

Farley,

Yang and

Jiang, On the feasibility of launching the man-in-the-middle attacks on VoIP from remote attackers, in: International Symposium on Information, Computer, and Communications Security, ASIACCS, 2009.

62.

ZRTP, ZORG – An implementation of the ZRTP protocol, n.d., http://support.privatewave.com/docs/display/ZORG/ZRTP.

Short voice imitation man-in-the-middle attacks on Crypto Phones: Defeating humans and machines 1

Abstract

Keywords

1. Introduction

2.1. Communication and threat model

2.2. SAS protocols

2.3. SAS validation mechanisms

3. Our attacks & background

3.2. Attacking human-based speaker verification

3.3. Attacking machine-based speaker verification

4. Attack design, implementation and performance evaluation

4.1. Attack design

4.2. Attack implementation – Putting the pieces together

4.3. Delay of the attack

5. Evaluating the attack against humans

5.1. Setup

5.2. Results

6.1. Setup

6.3. Automated quality test design and results

2 Weighted average of the magnitudes of cepstral peaks.

8. Conclusions

References

²
Weighted average of the magnitudes of cepstral peaks.