Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Google's Audio CAPTCHA Falls To Automated Attack

Posted by kdawson on Fri May 02, 2008 10:01 AM
from the what-you-say dept.
Businesses Google The Internet Security
SkiifGeek writes "Early in March, Wintercore Labs published proof of a generic approach to defeating audio CAPTCHAs, using Google's as the case study for their demonstration. With claims of over 90% success rate and expectations that this can be significantly improved with the right mix of filtering algorithms, the in-house tool remains unreleased. But it shouldn't take long for other developers to create their own tools and start targeting not only Google, but other sites that use audio CAPTCHAs for the vision-impaired. It isn't the first time that major sites (significantly major webmail providers) have had their CAPTCHAs broken, but it is the first reporting of defeating an audio CAPTCHA using a generic software approach. News about the discovery is slowly starting to spread."
+ -
story

Related Stories

[+] Windows Live Hotmail CAPTCHA Cracked, Exploited 362 comments
eldavojohn passes along what may be the last nail in the coffin for CAPTCHA technology. Coming on the heels of credible accounts of the downfall of first Yahoo's and then Gmail's CAPTCHA, Ars Technica is reporting on Websense Security Labs' deconstruction of the cracking and tuning / exploitation of the Live Hotmail CAPTCHA. Ars calculates that a single zombie computer can sign up over 1400 Live Hotmail accounts in a day, and alternate account creation with spamming. Time to dust off Kitten Auth?
Submission: Google's Audio CAPTCHA falls to Automated Attack by SkiifGeek (702936)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Google's Audio CAPTCHA Falls To Automated Attack 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • probably borrowing from IVR technology (Score:3, Interesting)

    by revlayle (964221) on Friday May 02 2008, @10:13AM (#23275046) Homepage
    some of the advanced IVR solutions (Interactive Voice Response... for like customer support or paying bills on the phone) can pick out numbers and words pretty well even under some noise conditions. so I am not totally surprised that this cracked the audio CAPTCHA.

    • Re: (Score:3, Insightful)

      by Qzukk (229616)
      IVR works as well as it does because it only has to understand numbers when it's expecting numbers and words when it's expecting words (and then only the words it expects to hear, try yelling "banana" at one). Also try calling your credit card company and telling it your card number is four quadrillion three hundred fifty-two trillion one hundred twelve billion five hundred forty-two million six hundred ninety-five thousand and one.

      If your audio captcha reads each letter one at a time, then your "IVR" only

  • It was bound to happen (Score:3, Interesting)

    by Half-pint HAL (718102) on Friday May 02 2008, @10:16AM (#23275092)

    Right from the start it was clear that audio captchas were theoretically easier to break than visual ones.

    An image captcha is designed to require a mixture of perception and thought, but an audio one has to rely on pure perception, because it's temporary. You hear it then it's gone: you can't analyse it. This makes it infinitely less complicated that a video one.

    It's only because of low uptake that it's taken so long for a true proof-of-concept attack.

    HAL.

    • Re: (Score:2, Interesting)

      by firewrought (36952)

      An image captcha is designed to require a mixture of perception and thought, but an audio one has to rely on pure perception, because it's temporary.

      I think your explanation is missing something, but I can't quite put my finger on what it is. Maybe it would be more accurate to say that audio captcha are simpler to process because (1) researches can't pump as much information thru the ears as they can thru the eyes [sensorary bandwidth is different] and (2) there's not a whole lot we can do to obfuscate a

      • You could mix an audio question with an image.

        You could display an image and ask a question about the image;

        "What color is the shirt on the man?"
        "How many doughnuts are displayed?"
        "How many animals are not cats?"

        Same image could be used for a series of questions.

        Failures are logged against IP address, unusually high numbers are banned.

        Of course, on first look, that keeps a random element out of it so you could have separate elements and combine them for a captcha image;

        -different colored background
        -guy on a
        • Yes, an audio question about an image is a great way to adapt CAPTCHAs to the vision impaired. An audio question about the audio, on the other hand.

        • there's a very serious problem with this approach: it is trivial to brute force. if the question states "how many", then that implies a quick human countable number. guess a number from 1 to 10. is that the correct answer? try a different number 1 to 10. is that it? for your "what color" question, i can think of ~10 legit colors (is it mother-of-pearl or white, navy blue or blue?). once again a brute force approach works pretty well.

          if reading words/characters/numbers from an image is solvable by a captcha

        • The entire point of audio CAPCHAs is that they can be used by the visually impaired using screen-reader browsers.

          Your proposal completely defeats that.

          Also, ideally, your system wouldn't require any cultural knowledge beyond knowledge of the language. For instance, someone born and raised in Zambia could potentially have never heard of a "doughnut," even if they know English.

  • Spread the love (Score:5, Funny)

    by snarfies (115214) on Friday May 02 2008, @10:19AM (#23275140) Homepage
    "News about the discovery is slowly starting to spread."

    And, thanks to Slashdot, news about the discovery is now RAPIDLY spreading.

  • captchas are obsolete (Score:2, Interesting)

    by Anonymous Coward
    do something else. show me a picture of an object and ask me (in a multiple-choice test?) what it is...a tree, a car, a house, a flower, whatever.

    and for the sight-impaired, how about a read description or definition of something? "this thing is the entrance to a house or a room" => door

    come on, webdesigner, it's not that hard to abandon those old and, above all, ANNOYING captchas
  • So given that (I assume) all audio CAPTCHAs have the same problem (i.e., the numbers and clearer voices can easily be found using audio analysis), does that mean that all audio-based CAPTCHAs are bound to fail?
    • Not necessarily, humans are still much more adept at extracting voices from noise(e.g. conversations in crowded conventions) but I imagine people will quickly consider them almost as annoying as the worst of visual CAPTCHAs.
      • I can see a main problem with that: to ensure some degree of entropy, one would have to record enough CAPTCHAs to satisfy all possible combinations of the English alphabet. That's a lot! Even if that is the case, that is actually less secure than an automated audio CAPTCHA because, if anything, hackers can simply download all recorded CAPTCHAs and crack the systems that way.

  • Solving CAPTCHAs is a waste of time (Score:3, Insightful)

    by sakdoctor (1087155) on Friday May 02 2008, @10:25AM (#23275250)
    Apart from OCRing books, I can't think of anything else that is not a total waste of human time. How about meta-moderating as a CAPTCHA activity; probably too fuzzy to work to a reasonable degree of accuracy.

    Basically I think the arms race is already over, and a new paradigms is needed,
    • Classifying porn pictures. This is very useful, girl-on-girl, top half only, etc...

      Realistically, providing one word description for a bunch of pictures could be useful. I know google setup a "game" for this months ago.
  • CAPTCHA technology is going to have a very difficult time over the next few years. Finding tasks (which can be implemented on standard computer systems and transmitted over the internet) that are trivial for humans but exceedingly difficult for computers is going to be rough.

    This is especially true because the computer doesn't need a 100% success rate to effectively "break" the CAPTCHA. Heck, if the CAPTCHA gives you 3 tries before rejecting you, then a 30% success rate = fully broken.

    For right now, they
    • The problem is that captchas have to be computer-generated on the fly. It's hard to think of things a computer can easily do in one direction, that a similar computer cannot undo, but that a human can easily undo. Relationship puzzles between words won't work because the attacking computer probably has dictionary resources very similar to the defending computer's.
  • Spam is already a pretty ethically dubious thing, but this should be viewed differently in the eyes of the law (in the event we actually catch somebody behind it in a 1st world country). Sort of how if you assualt an able bodied man on the street you'll be punished, but assault a grandma with a walker or a boy in a wheelchair, and you'll likely have the book thrown at you. Abusing handicapped accessiblity should really fall into the "boy in a wheelchair" category.

    You'd almost hope that the same sort of hono
  • Paying 3rd-world human beings usually gets past captchas.

    A partial solution is to limit the services you offer based on how well you know them. Anonymous? Offer very limited services.
    Anonymous but tied to an existing email address? Offer a bit more.
    Authenticated by credit card, which could be stolen? Offer a bit more.
    Authenticated by PO box? Offer more.
    Authenticated by street address, driver's license number, and a notary? Assume they are legit, you can always sue the notary if they aren't.

    Authenticat
    • "Authenticated by street address, driver's license number, and a notary? Assume they are legit, you can always sue the notary if they aren't."

      Just another database to be stolen and used to create credit hell for those people listed in the database.

      No thank you.

      The only solution asshattery is pain. No, not virtual pain, REAL Ass Kicking Pain.
  • Spammers need to be shot.

    The only reason to have these things is to try to limit spambots. Imagine if instead of spending Millions of dollars developing and maintaining anti spam technology, we used the money to assassinate Spammers, and the producers of the crap they sell, the problem would immediately disappear.

    You know, I'm almost serious. Why is it that we tolerate Asshats in this world. This is the result of the namby pamby wimpy peaceniks that think when an asshat gets his lights punched out, that the
    • Ha, we're getting the spammers to fund AI research...the more we make captcha's like Touring tests, the more they'll do AI research in their attempts to break it.

  • There was a captcha a while ago that pulled pictures and "hottness" information from hotornot.com, then asked the user to select three of the 9 people that were "hott". link [hotcaptcha.com]

    While this approach probably wouldn't be very appropriate for "serious" companies to use (think IBM, microsoft, usbank, etc.) as protection from bots, I feel like it is a step in the right direction. There are things that humans are really good at and captcha builders need to start using them. For instance: show somebody 5 pictures of
    • The problem is that all these options require photographs, which mean each new CAPTCHA requires some human-work to produce. If we're going to prevent spammers from just exhaustively cataloging the right answers, we need an automatable, procedural way to generate new ones.
      • And that is exactly where the problem is. Anything that has been CREATED by a computer can be reverse engineered by a computer. I know that there were some really HUGE databases created a few years ago that were trying to create artificial intelligence (one of them was called CYC, another was called GAC, there is a wired article about them here [wired.com]) the idea was that people would answer hundreds of thousands of questions like "are purples round?" or similarly silly questions. The hope was that we could progr

  • I think the capcha thing is about over. One alternative is identifying new users by texting a password to their cell phone. One account per cell phone number. This limits access to people with computers but not cell phones, but that's not much of an issue at this point. GMail used to do this.

    Yes, you can buy vast numbers of SIM cards, but they're not free.

    The main problem with this approach is that sending SMS messages is not free. Bulk services charge around US$0.05 to US$0.11 per message. However

  • I've wanted to gripe about this for ages, but here it finally seems on-topic:

    Slashdot's audio CAPTCHA is a joke.

    The computer voice SPELLS the word for you letter-by-letter. A bot wouldn't even have to use heuristics-based speech recognition, just searching for 26 waves (or FFT signatures) would do the trick.
  • The fundamental problem with captcha's is that they are using computers to come up with problems for humans. If a computer can come up with the problem, a computer can come up with the solution.

    Captcha's so far are relying on a human strengths at visual perception, edge finding, pattern recognition, etc to retrieve distorted data. But these are simply processing issues. And computers will eventually solve them all.

    The proposals for 'better captchas' revolve around the idea of having more complex problems of
    • I've been thinking about something like this for a while. I think about it in terms of OpenID, where you get to define the terms of authentication by running your own server.

      Service providers like GMail can turn that around and say, "OK, but we're only going to accept authentication from certain providers, who have confirmed to us one way or another that they reliably identify you as a human."

      OpenID separates authentication from the services, so you don't have a single database to be compromised. The most
  • All I can say is, I'm glad most spammers aren't hearing impaired or else this might really turn into a problem.
  • Digital world is the world of non-humans and humans are aliens in it. The robots are naturals and they do all that interaction with this world much easier and more effectively.

    Currently the dark underinternet world of spambots, worms, viruses, malware, etc. does not have limits in the arms race, while the world of positive use of internet does have them. There is no digital robotic police that have power to enter our private digital domains and check for suspicious activity. There are no government sponsore
  • that this "arms race" of escalating sophistication of captchas and equally sophisticated cracks is actually a form of the Turing test but one conducted with the ethics of a street brawl.

    We do occasionally find the question "Are you human?" posed in proximity to the captcha.
  • Okay.. how about a question...
    And a picture.

    How many parrots are in this picture? (audio).
    Picture of 1-7 parrots mixed with other birds.

    How many miles over the speedlimit is this car going? (audio)
    Picture of a car speedometer at 35 to 95 with a Speed sign through window of 35 to 95 mph.

    What letter is missing from the second word? (audio)
    Habit (picture)
    Hait

    The audio could be a separate text box instead of audio.

    Generate a million simple but unique questions that require thought and each one has multiple po

    • Re: (Score:2, Interesting)

      by carlvlad (942493)
      I hardly ever fail CAPTCHAs before, but ever since RapidShare implements their new CAPTCHAs it made me realized of how many more people suffered through annoyance of this. Kinda ironic though, it was supposed to weed out non-human. Reminds me of the Dilbert strip where PHB is considered the first human to fail the Turing Test.
    • If you listen to Google's captcha, you'll see that it is filled with nonsense voices as well as the real voice. You can still make out the real voice, but it's not entirely trivial. A great improvement, like TFA suggests, would be to use complete words rather than numbers, which turns it into a full voice-recognition problem for an attacker. Also, some manner of distortion in both time and frequency domain should thwart this attack. The only problem is that distorting in the frequency domain isn't all that

        • They don't have to do audio captchas where you type in directly what is said. They could require simple calculations or something like that to make it very hard for a computer to crack without sophisticated natural language processing.

          Enter the first letter of each word: Light Apples Meddle Blindly. (User enters: LAMB) Enter every other word: big white ben light. (User enters: "big ben" or "white light"). What is 14 plus 9? (User enters: 25)

          Add static and nonsense voices and these are all difficult t

        • It's getting to the point where the spammers are solving real, previously unsolved problems with their spamming code. Perhaps this can be harnessed for the good "solve the following protein folding problem", "write a transcript for the following bit of audio" then we'll let you send 100 spam emails.

          I think you're on to something. "factor this huge number and get a free spamming account for a week"
          only problem is you have to make the captchas that grandpa can solve be harder than the problems you give to the spammers.

    • Re: (Score:3, Insightful)

      by liquidpele (663430)
      As if 400 tries in an hour with an 50% failure rate from one IP wouldn't throw flags with any type of captcha.... I really can't understand how these services can *not* see bots doing this, unless the bots are doing it at slow random intervals...

      • Re: (Score:2, Insightful)

        by Gavagai80 (1275204)
        In the case of a high profile target like gmail, they're doing it from thousands of IPs in a botnet.

    • Re:More easier to detect a bot (Score:4, Funny)

      by Keichann (888574) on Friday May 02 2008, @11:40AM (#23276296)
      If only somebody could distribute their bots into a kind of network? Then you'd get traffic arriving from all over the place, that would be significantly more difficult to detect!

      Quick, mod this post down, in case a neer-do-well were to get any ideas.
    • A CAPTCHA has to be completely automated. Grading an essay test would be hard to automate.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.