How secure is voice recognition technology?

Businesses should plan for vulnerabilities with Siri and others

by Charles Cooper

From performing car commands and phone searches to accessing account information, voice recognition is making digital life nearly effortless.

More people are opting to go hands-free – approximately 40 percent of smartphone owners in the United States are now using voice recognition technologies such as Google Now and Siri. Likewise, many banks in the United Kingdom (and some in the U.S.) are moving away from PIN numbers to voice recognition for account access.

As with many new technologies, though, voice recognition’s touted merits in the field of authentication have yet to be decided.  

A recent adopter on a large scale, the U.K. bank Barclays says that clients can easily set up their voice recognition account with one short conversation that captures a “reference voiceprint.”

Next, during normal phone conversations with the bank’s call center, each client’s voice is compared with their voiceprint for “vocal tract length and shape, pitch and speaking rate” to confirm their identity.

Supporters of Barclay’s new technology point to the fact that each person’s voice is matched against over 100 unique identifiers, foiling any potential for mimicking someone’s voice. In addition, a voice altered by a head cold or a noisy phone line won’t affect recognition because of the robust markers they gather.

As proof of its safety, Barclay points to several wealthy clients who have been using voice recognition for a couple of years without incident.

Cloned voice samples

Some security industry experts point to vulnerabilities in the current crop of voice recognition technologies that make its use on any device questionable. In a voice recognition attack, typical security controls are evaded with fraudulent voice samples.

Researchers at the University of Alabama at Birmingham showed that voice recognition technology is vulnerable to attacks that use cloned voice samples.

The voice samples come from audio found in online videos (e.g. YouTube) and even videos held on private cloud accounts. They also can be caught through sham phones calls and covertly captured recordings.

Because of this simplicity in capturing voice samples, some industry experts see voice recognition as easier to hack compared to other biometric authentications methods, such as fingerprints.

Business vulnerabilities

Business can also be breached through their employees’ personal or enterprise-owned smartphones.

Researchers at ANSSI, the French information security organization, discovered that Apple and Android phones using Siri or Google Now, respectively, could be sent commands to download apps through plugged in headphones with a microphone. The phones could then be instructed to:   

  • download apps with malware
  • visit malicious sites
  • send phishing email

As with any strong security stance, a multilayered approach is an organization’s best means for protecting its data and systems. In addition, employees can be coached made aware of the ways their voices can be cloned and how to avoid attacks through their smartphones.

By using recognized detect-and-respond defenses, your organization can protect itself against known threats – no matter where they originate.

For more information on the best cybersecurity practices for your business, visit the AT&T Cybersecurity Services page.