Black-box Adversarial Attacks on Commercial Speech Platforms with Minimal Information

TL;DR

This paper introduces novel black-box adversarial attack methods for commercial speech platforms, achieving high success rates without relying on confidence scores or internal model access, highlighting vulnerabilities in popular speech APIs and devices.

Contribution

It proposes Occam, a decision-only black-box attack for speech APIs, and NI-Occam, a non-interactive physical attack for voice devices, both demonstrating effective adversarial examples in practical scenarios.

Findings

Occam achieves 100% success rate on multiple speech APIs.

NI-Occam successfully fools major voice assistants with high transferability.

Both methods operate effectively without internal model knowledge or interaction.

Abstract

Adversarial attacks against commercial black-box speech platforms, including cloud speech APIs and voice control devices, have received little attention until recent years. The current "black-box" attacks all heavily rely on the knowledge of prediction/confidence scores to craft effective adversarial examples, which can be intuitively defended by service providers without returning these messages. In this paper, we propose two novel adversarial attacks in more practical and rigorous scenarios. For commercial cloud speech APIs, we propose Occam, a decision-only black-box adversarial attack, where only final decisions are available to the adversary. In Occam, we formulate the decision-only AE generation as a discontinuous large-scale global optimization problem, and solve it by adaptively decomposing this complicated problem into a set of sub-problems and cooperatively optimizing each one. Our Occam is a one-size-fits-all approach, which achieves 100% success rates of attacks with an average SNR of 14.23dB, on a wide range of popular speech and speaker recognition APIs, including Google, Alibaba, Microsoft, Tencent, iFlytek, and Jingdong, outperforming the state-of-the-art black-box attacks. For commercial voice control devices, we propose NI-Occam, the first non-interactive physical adversarial attack, where the adversary does not need to query the oracle and has no access to its internal information and training data. We combine adversarial attacks with model inversion attacks, and thus generate the physically-effective audio AEs with high transferability without any interaction with target devices. Our experimental results show that NI-Occam can successfully fool Apple Siri, Microsoft Cortana, Google Assistant, iFlytek and Amazon Echo with an average SRoA of 52% and SNR of 9.65dB, shedding light on non-interactive physical attacks against voice control devices.