Speaking out: Security and voice recognition

From performing car commands and phone searches to accessing account information, voice recognition makes digital life effortless. And more people are opting to go hands-free with approximately 40 percent of smartphone owners in the United States now using voice recognition technologies Google Now and Siri. Likewise, many banks in the United Kingdom (and some in the U.S.) are moving away from PIN numbers to voice recognition for account access. But as with many new technologies, voice recognition’s touted merits in the field of authentication have yet to be decided.

Speak freely

A recent adopter on a large scale, the U.K. bank Barclays says that clients can easily set up their voice recognition account with one short conversation that captures a “reference voiceprint.” Then, during normal phone conversations with the bank’s call center, each client’s voice is compared with their voiceprint for “vocal tract length and shape, pitch and speaking rate” to confirm their identity.

Supporters of Barclay’s new technology point to the fact that each person’s voice is matched against over 100 unique identifiers, foiling any potential for mimicking someone’s voice. In addition, a voice altered by a head cold or a noisy phone line won’t affect recognition because of the robust markers they gather. As proof of its safety, Barclay points to a number of its wealthy clients who have been using voice recognition for a couple of years without incident.

A forked tongue

But some security industry experts point to vulnerabilities in the current crop of voice recognition technologies that make its use on any device questionable.

In a voice recognition attack, typical security controls are evaded with fraudulent voice samples. Researchers at the University of Alabama at Birmingham showed that voice recognition technology is vulnerable to attack with voice samples cloned from audio found in online videos (e.g. industry and YouTube) and even videos held on private cloud accounts. They also can be caught through sham phones calls and covertly captured recordings.

Because of this simplicity in capturing voice samples, some industry experts see voice recognition as easier to hack compared to other biometric authentications methods, such as fingerprints.

Organizations can also be breached through their employees’ personal or enterprise-owned smartphones.

Consider, a game created by AVG, an anti-virus software company, that prompts Samsung users to recite Google Now’s voice commands, which can be used by outsiders to send commands to the smartphone. Once the smartphone is connected to an organization’s network, any downloaded malware could then breach the entire system.

Researchers at ANSSI, the French information security organization, discovered that Apple and Android phones using Siri or Google Now, respectively, could be sent commands to download apps through plugged in headphones with a microphone. The phones could then be instructed to download apps with malware, visit malicious sites or send phishing email.

As with any strong security stance, a multilayered approach is an organization’s best means for protecting its data and systems. In addition, employees can be coached made aware of the ways their voices can be cloned and how to avoid attacks through their smartphones. By using recognized detect-and-respond defenses your organization can protect itself against known threats — no matter where they originate.

Carin Hughes is editor of the AT&T Cybersecurity Insights reports.

Copyright © 2016 IDG Communications, Inc.