Tubes Among Us: Analog Attack on Automatic Speaker Identification
This exposes a critical flaw in security-critical applications like phone banking, challenging defenses that assume humans cannot generate targeted adversarial examples.
The paper tackles the vulnerability of machine learning-based speaker identification systems by showing that humans can produce analog adversarial examples, such as speaking through a tube, to reliably impersonate other speakers, with attacks extending to tasks like liveness detection.
Recent years have seen a surge in the popularity of acoustics-enabled personal devices powered by machine learning. Yet, machine learning has proven to be vulnerable to adversarial examples. A large number of modern systems protect themselves against such attacks by targeting artificiality, i.e., they deploy mechanisms to detect the lack of human involvement in generating the adversarial examples. However, these defenses implicitly assume that humans are incapable of producing meaningful and targeted adversarial examples. In this paper, we show that this base assumption is wrong. In particular, we demonstrate that for tasks like speaker identification, a human is capable of producing analog adversarial examples directly with little cost and supervision: by simply speaking through a tube, an adversary reliably impersonates other speakers in eyes of ML models for speaker identification. Our findings extend to a range of other acoustic-biometric tasks such as liveness detection, bringing into question their use in security-critical settings in real life, such as phone banking.