Introducing Model Inversion Attacks on Automatic Speaker Recognition

TL;DR

This paper demonstrates that model inversion attacks can be extended to audio data, enabling the reconstruction of speaker voices and biometric features from speaker recognition systems, posing significant privacy and security risks.

Contribution

It introduces sliding model inversion, an extension of MI attacks for audio data, showing how to reconstruct and extract speaker voices and biometrics from trained models.

Findings

Reconstructed audio samples can impersonate speakers.

Extracted features reveal biometric information.

Attack enables voice spoofing and command execution.

Abstract

Model inversion (MI) attacks allow to reconstruct average per-class representations of a machine learning (ML) model's training data. It has been shown that in scenarios where each class corresponds to a different individual, such as face classifiers, this represents a severe privacy risk. In this work, we explore a new application for MI: the extraction of speakers' voices from a speaker recognition system. We present an approach to (1) reconstruct audio samples from a trained ML model and (2) extract intermediate voice feature representations which provide valuable insights into the speakers' biometrics. Therefore, we propose an extension of MI attacks which we call sliding model inversion. Our sliding MI extends standard MI by iteratively inverting overlapping chunks of the audio samples and thereby leveraging the sequential properties of audio data for enhanced inversion performance. We show that one can use the inverted audio data to generate spoofed audio samples to impersonate a speaker, and execute voice-protected commands for highly secured systems on their behalf. To the best of our knowledge, our work is the first one extending MI attacks to audio data, and our results highlight the security risks resulting from the extraction of the biometric data in that setup.