MASTERKEY: Practical Backdoor Attack Against Speaker Verification Systems

TL;DR

This paper introduces MASTERKEY, a practical backdoor attack on speaker verification systems that can target arbitrary users without prior knowledge, achieving high success rates even with low poisoning rates in real-world scenarios.

Contribution

We propose a universal, imperceptible backdoor attack for speaker verification models that works without victim-specific knowledge and demonstrates effectiveness in real-world conditions.

Findings

Achieves 100% success rate with 15% poison rate.

Maintains around 50% success rate at 3% poison rate.

Effective in over-the-air and telephony-line scenarios.

Abstract

Speaker Verification (SV) is widely deployed in mobile systems to authenticate legitimate users by using their voice traits. In this work, we propose a backdoor attack MASTERKEY, to compromise the SV models. Different from previous attacks, we focus on a real-world practical setting where the attacker possesses no knowledge of the intended victim. To design MASTERKEY, we investigate the limitation of existing poisoning attacks against unseen targets. Then, we optimize a universal backdoor that is capable of attacking arbitrary targets. Next, we embed the speaker's characteristics and semantics information into the backdoor, making it imperceptible. Finally, we estimate the channel distortion and integrate it into the backdoor. We validate our attack on 6 popular SV models. Specifically, we poison a total of 53 models and use our trigger to attack 16,430 enrolled speakers, composed of 310 target speakers enrolled in 53 poisoned models. Our attack achieves 100% attack success rate with a 15% poison rate. By decreasing the poison rate to 3%, the attack success rate remains around 50%. We validate our attack in 3 real-world scenarios and successfully demonstrate the attack through both over-the-air and over-the-telephony-line scenarios.