DolphinAtack: Inaudible Voice Commands

TL;DR

This paper introduces DolphinAttack, an inaudible ultrasonic attack method that exploits microphone nonlinearity to inject hidden voice commands into speech recognition systems, demonstrating real-world vulnerabilities and proposing detection defenses.

Contribution

The work presents a novel ultrasonic attack technique that renders voice commands inaudible while still being interpreted by speech systems, highlighting a new security threat.

Findings

Successfully activated voice assistants with inaudible commands

Demonstrated attacks on multiple popular speech recognition systems

Proposed and validated detection methods using SVM classifiers

Abstract

Speech recognition (SR) systems such as Siri or Google Now have become an increasingly popular human-computer interaction method, and have turned various systems into voice controllable systems(VCS). Prior work on attacking VCS shows that the hidden voice commands that are incomprehensible to people can control the systems. Hidden voice commands, though hidden, are nonetheless audible. In this work, we design a completely inaudible attack, DolphinAttack, that modulates voice commands on ultrasonic carriers (e.g., f > 20 kHz) to achieve inaudibility. By leveraging the nonlinearity of the microphone circuits, the modulated low frequency audio commands can be successfully demodulated, recovered, and more importantly interpreted by the speech recognition systems. We validate DolphinAttack on popular speech recognition systems, including Siri, Google Now, Samsung S Voice, Huawei HiVoice, Cortana and Alexa. By injecting a sequence of inaudible voice commands, we show a few proof-of-concept attacks, which include activating Siri to initiate a FaceTime call on iPhone, activating Google Now to switch the phone to the airplane mode, and even manipulating the navigation system in an Audi automobile. We propose hardware and software defense solutions. We validate that it is feasible to detect DolphinAttack by classifying the audios using supported vector machine (SVM), and suggest to re-design voice controllable systems to be resilient to inaudible voice command attacks.