Wednesday, May 1, 2019

Put Words In My Mouth

Put Words In My Mouth | Telspace Systems Intern Research
By Amy ManiĆ 

Money has been withdrawn from your account.

You don’t remember making, or authorising that transaction.

When you follow up with the bank, they say you called earlier and requested the transfer – it was, after-all, you speaking – right? Unbeknownst to you, your voice was stolen, and so was your money.

With the rise of voice authentication biometrics, so too will the opportunities to spoof it. Text-to-Speech APIs are constantly improving, for example, Google’s technology is able to create voices that are indistinguishable from recordings made by the real-life human speaker.

Threat actors have access to a target’s voice recordings through passive channels such as YouTube videos, social media posts etc.  More active / invasive channels an attacker could use would be to compromise vulnerable IoT devices which are becoming more common place throughout homes and offices. Social media posts and IoT devices would allow threat actors to listen to a voice, capture and then manipulate it (all using free online tools).

So what exactly can be done with a ‘stolen’ voice? This research explores the vulnerabilities in IoT devices, the legal landscape surrounding these devices and the various voice cloning, authentication and recognition software currently available. The report culminates by examining the possibilities of banking fraud, by using voice-spoofing to bypass authentication and transfer funds. The report includes a demonstration of the simulated attack on a bank.

Download the full Telspace Systems research paper here which was written by Amy:

No comments: