CommanderSong: A Systematic Approach for Practical Adversarial Voice Recognition

TL;DR

This paper introduces CommanderSong, a novel method for embedding voice commands into songs that can covertly control speech recognition systems, highlighting a new security threat and proposing a mitigation approach.

Contribution

It presents a systematic approach to create practical, stealthy adversarial voice commands embedded in songs, demonstrating real-world feasibility and threat mitigation.

Findings

Commands embedded in songs can control ASR systems effectively.

Such attacks can be distributed via Internet platforms like YouTube.

A mitigation technique can reduce the threat of CommanderSongs.

Abstract

The popularity of ASR (automatic speech recognition) systems, like Google Voice, Cortana, brings in security concerns, as demonstrated by recent attacks. The impacts of such threats, however, are less clear, since they are either less stealthy (producing noise-like voice commands) or requiring the physical presence of an attack device (using ultrasound). In this paper, we demonstrate that not only are more practical and surreptitious attacks feasible but they can even be automatically constructed. Specifically, we find that the voice commands can be stealthily embedded into songs, which, when played, can effectively control the target system through ASR without being noticed. For this purpose, we developed novel techniques that address a key technical challenge: integrating the commands into a song in a way that can be effectively recognized by ASR through the air, in the presence of background noise, while not being detected by a human listener. Our research shows that this can be done automatically against real world ASR applications. We also demonstrate that such CommanderSongs can be spread through Internet (e.g., YouTube) and radio, potentially affecting millions of ASR users. We further present a new mitigation technique that controls this threat.