Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: defeating voice captchas
From: Stelian Ene <stelian.ene () gecadtech com>
Date: Tue, 14 Feb 2006 10:20:14 +0200

Gadi Evron wrote:

Therefore, how many times does one have to refresh the page and listen
to the Captcha to be able to simply learn to identify the Captcha by
say, an MD5 hash of the audio for each letter?

That is just a bad implementation, when done well audio Captchas are
probably as secure as their visual counterparts.
"Done well" means that, besides the 10 digits (and/or 26 letters)
recorded by the sexy voice and replayed in a random order, the audio is
mixed with multiple sound sources, different for each generated Captcha.
For example, you can use a symphony(*), random white noise, the sound of
the street, or all of these, at a level of 3 or 6 dB above the voice.
The brain can easily distinguish the secret code from all the background
noise, but it's much more difficult for a computer.
While I'm not an audio expert either, I'm sure this problem is allot
harder than a simple MD5 - just look how bad state of the art voice
recognition software performs in almost ideal conditions, i.e. no
background noise etc.

(*) Of course, it's better to use sound sources that are hard to
identify, and are ideally not available to the attacker; else he could
obtain the same sounds and subtract them from the audio. I think some
random pitch shifting (tremolo) would help against this.
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]