Good vibrations: wearables add security to voice activated devices

Vulnerabilities in voice authentication could be eradicated with wearable devices that register speech-induced vibrations on the user’s body and pairs them with the sound of that person’s voice.

VAuth voice verification technology (credit: Joseph Xu)

Voice activated systems in mobile devices, homes and vehicles are becoming more widespread but sound is an open-channel and such systems can be breached by third parties via mediocre impersonators and sophisticated hackers alike.

To counter this, engineers at the University of Michigan have developed voice verification technology that can be embedded in a necklace, ear buds or eyeglasses.

“Increasingly, voice is being used as a security feature but it actually has huge holes in it,” said Kang Shin, the Kevin and Nancy O’Connor Professor of Computer Science and professor of electrical engineering and computer science at U-M. “If a system is using only your voice signature, it can be very dangerous. We believe you have to have a second channel to authenticate the owner of the voice.”

The solution that Shin and colleagues developed is called VAuth, which is said to continuously register speech-induced vibrations on the user’s body and pair them with the sound of that person’s voice to create a unique and secure signature.

According to U-M, speaking creates vibrations that can be detected on the skin of a person’s face, throat or chest. The system works by leveraging the instantaneous consistency between signals from the accelerometer in the wearable security token and the microphone in the electronic device. A user could only use voice authentication with their device when wearing the security token.

The team has built a prototype using an off-the-shelf accelerometer and a Bluetooth transmitter, which sends the vibration signal to the microphone in the user’s device. They’ve also developed matching algorithms and software for Google Now.

“VAuth is the first serious attempt to secure this service, ensuring that your voice assistant will only listen to your commands instead of others,” Shin said. “It delivers physical security, which is difficult to compromise even by sophisticated attackers. Only with this guarantee can the voice assistant be trusted as personal and secure, especially in scenarios such as banking and home safety.”

That’s a drastic departure from existing voice biometric mechanisms, which require training from each individual who will use them, said Kassem Fawaz, who worked on the project as a graduate student at U-M and is now an assistant professor at the University of Wisconsin.

“In addition, VAuth overcomes a key problem of voice biometrics,” he said. “A voice biometric, similar to a fingerprint, is not easy to keep protected. From a few recordings of the user’s voice, an attacker can impersonate the user by generating a matching ‘voice print.’

“The users can do little to regain their security as they cannot simply change their voice. On the other hand, when losing VAuth for any reason, the user can simply unpair it to prevent an attacker from using their device.”

The team tested VAuth with 18 users and 30 voice commands. It achieved a 97-percent detection accuracy and less than 0.1 percent false positive rate, regardless of its position on the body and the user’s language, accent or even mobility.

A study on VAuth, titled Continuous Authentication for Voice Assistants, will be presented today, October 19, 2017 at the International Conference on Mobile Computing and Networking, MobiCom 2017, in Snowbird, Utah.