CommanderSong: A Systematic Approach for Practical Adversarial Voice Recognition
This addresses a security threat for users of popular ASR systems like Google Voice and Cortana, presenting a practical and surreptitious attack method that is more feasible than previous approaches.
The paper tackles the problem of creating stealthy adversarial attacks on automatic speech recognition (ASR) systems by embedding voice commands into songs, demonstrating that these CommanderSongs can effectively control target systems without detection and be spread via platforms like YouTube and radio, potentially affecting millions of users.
The popularity of ASR (automatic speech recognition) systems, like Google Voice, Cortana, brings in security concerns, as demonstrated by recent attacks. The impacts of such threats, however, are less clear, since they are either less stealthy (producing noise-like voice commands) or requiring the physical presence of an attack device (using ultrasound). In this paper, we demonstrate that not only are more practical and surreptitious attacks feasible but they can even be automatically constructed. Specifically, we find that the voice commands can be stealthily embedded into songs, which, when played, can effectively control the target system through ASR without being noticed. For this purpose, we developed novel techniques that address a key technical challenge: integrating the commands into a song in a way that can be effectively recognized by ASR through the air, in the presence of background noise, while not being detected by a human listener. Our research shows that this can be done automatically against real world ASR applications. We also demonstrate that such CommanderSongs can be spread through Internet (e.g., YouTube) and radio, potentially affecting millions of ASR users. We further present a new mitigation technique that controls this threat.