The University of Michigan developed new wearable devices to increase security. The new tools, a security-token necklace, ear buds or eyeglasses, could tackle vulnerabilities in voice authentication, the act of logging into services or devices using the vocal recognition.

Talking to electronic devices is increasingly becoming a popular and common way to control them. In a time were technology shape people life, voice assistants connect people to their mobile devices, homes and vehicles. Using spoken interactions, we issue commands to our devices placing calls, writing and sending speech-to-text messages, sending voice messages, checking emails, getting travel directions and even access personal area such as bank accounts. For instance, Barclays bank recently introduced a function to allow call-in center to verify their customers identity through voice anaysis.

However, researchers define sound and “open channel” that can be easily spoofed not only by expert hackers but also by mediocre impersonators

“Increasingly, voice is being used as a security feature but it actually has huge holes in it,” said Dr Kang Shin, Kevin and Nancy O’Connor Professor of Computer Science and professor of electrical engineering and computer science at U-M. “If a system is using only your voice signature, it can be very dangerous. We believe you have to have a second channel to authenticate the owner of the voice.”

The solution that Dr Shin’s team developed to face the challenge is called VAuth (pronounced vee-auth), and consists in a wearable device that can take be shaped as a necklace, ear buds or a small attachment to eyeglasses. VAuth continuously registers speech-induced vibrations on the user’s body and matches them to the sound of that person’s voice to create a unique and secure signature.

The process of speaking creates vibrations that can be detected on the skin of a person’s face, throat or chest. The system works by leveraging the instantaneous consistency between signals from the accelerometer in the wearable security token and the microphone in the electronic device. You can only use voice authentication with your device when you’re wearing the security token.

The team has built a prototype using an off-the-shelf accelerometer, which measures motion, and a Bluetooth transmitter, which sends the vibration signal to the microphone in the user’s device. They’ve also developed matching algorithms and software for Google Now.

“VAuth is the first serious attempt to secure this service, ensuring that your voice assistant will only listen to your commands instead of others,” Shin said. “It delivers physical security, which is difficult to compromise even by sophisticated attackers. Only with this guarantee can the voice assistant be trusted as personal and secure, especially in scenarios such as banking and home safety.”

That’s a drastic departure from existing voice biometric mechanisms, which require training from each individual who will use them, said Kassem Fawaz, who worked on the project as a graduate student at U-M and is now an assistant professor at the University of Wisconsin.

“In addition, VAuth overcomes a key problem of voice biometrics,” he said. “A voice biometric, similar to a fingerprint, is not easy to keep protected. From a few recordings of the user’s voice, an attacker can impersonate the user by generating a matching ‘voice print.’

“The users can do little to regain their security as they cannot simply change their voice. On the other hand, when losing VAuth for any reason, the user can simply unpair it to prevent an attacker from using their device.”

The team tested VAuth with 18 users and 30 voice commands. It achieved a 97-percent detection accuracy and less than 0.1 percent false positive rate, regardless of its position on the body and the user’s language, accent or even mobility. The devices also successfully thwarts various practical attacks, such as mangled voice attacks, replay attacks or impersonation attacks.

The researchers also surveyed 952 people to gauge their willingness to wear a security token. “Seventy percent of them said they are willing to give VAuth a serious try in one of the three configurations we developed – and half of them said they are willing to pay $25 more for the technology,” said Huan Feng, who worked on the project as a graduate student and currently works for Facebook.

A paper introducing VAuth called “Continuous Authentication for Voice Assistants,” will be presented Oct. 19 at the International Conference on Mobile Computing and Networking, MobiCom 2017, in Snowbird, Utah. The work was supported by the National Science Foundation. The researchers have applied for patent protection, and they are seeking commercialization partners to help bring the technology to market.

Written by: Pietro Paolo Frigenti

Source: Moore, C. N. (2017). Wearables to boost security of voice-based log-in . Retrieved on 26th October, 2017.