Bookmarked CommanderSong: A Systematic Approach for Practical Adversarial Voice Recognition (
The popularity of ASR (automatic speech recognition) systems, like Google Voice, Cortana, brings in security concerns, as demonstrated by recent attacks. The impacts of such threats, however, are less clear, since they are either less stealthy (producing noise-like voice commands) or requiring the physical presence of an attack device (using ultrasound). In this paper, we demonstrate that not only are more practical and surreptitious attacks feasible but they can even be automatically constructed. Specifically, we find that the voice commands can be stealthily embedded into songs, which, when played, can effectively control the target system through ASR without being noticed. For this purpose, we developed novel techniques that address a key technical challenge: integrating the commands into a song in a way that can be effectively recognized by ASR through the air, in the presence of background noise, while not being detected by a human listener. Our research shows that this can be done automatically against real world ASR applications. We also demonstrate that such CommanderSongs can be spread through Internet (e.g., YouTube) and radio, potentially affecting millions of ASR users. We further present a new mitigation technique that controls this threat.

It seems sharing play-lists is no longer an innocent behaviour, nor is playing YouTube with the sound on in the presence of automated speech recognition like Google’s, Amazon’s and Apple’s cloud connected microphones in your living room. “CommanderSongs can be spread through Internet (e.g., YouTube) and radio.

The easiest mitigation of course is not having such microphones in your home in the first place. Another is running your own ASR with your 95% standard commands localized in the device. Edge first like Candle proposes, not cloud first.

4 reactions on “

  1. Nice! No, not really. I have been tangentially following open source IoT development for some time as it pertains to ASR, home automation, etc. I cannot imagine inviting a limitless number of complete strangers into my home to observe my every word and move, yet this is the net effect of filling your home with IoT. I am resigned, however, to the reality that the vast majority of people either can’t or don’t care, and the combination of their addiction to convenience with their apathy toward privacy/self-preservation will make lots of money for lots of vendors for a long time to come. That doesn’t work for me, so I do try to monitor the evolution of open source tech alternatives which have the potential to give both the benefits and the control to users.

Comments are closed.