MASTERKEY: Practical Backdoor Attack Against Speaker Verification Systems
This work addresses a security vulnerability in widely deployed speaker verification systems, posing a threat to user authentication, but it is incremental as it builds on existing poisoning attacks.
The authors tackled the problem of backdoor attacks on speaker verification systems by proposing MASTERKEY, a practical attack that achieves a 100% success rate with a 15% poison rate and remains effective at lower rates, such as 50% success with 3% poison, across multiple models and real-world scenarios.
Speaker Verification (SV) is widely deployed in mobile systems to authenticate legitimate users by using their voice traits. In this work, we propose a backdoor attack MASTERKEY, to compromise the SV models. Different from previous attacks, we focus on a real-world practical setting where the attacker possesses no knowledge of the intended victim. To design MASTERKEY, we investigate the limitation of existing poisoning attacks against unseen targets. Then, we optimize a universal backdoor that is capable of attacking arbitrary targets. Next, we embed the speaker's characteristics and semantics information into the backdoor, making it imperceptible. Finally, we estimate the channel distortion and integrate it into the backdoor. We validate our attack on 6 popular SV models. Specifically, we poison a total of 53 models and use our trigger to attack 16,430 enrolled speakers, composed of 310 target speakers enrolled in 53 poisoned models. Our attack achieves 100% attack success rate with a 15% poison rate. By decreasing the poison rate to 3%, the attack success rate remains around 50%. We validate our attack in 3 real-world scenarios and successfully demonstrate the attack through both over-the-air and over-the-telephony-line scenarios.