Black-Box Attacks via the Speech Interface Using Linguistically Crafted Input

Abstract: This paper presents the results of experiments demonstrating novel black-box attacks via the speech interface. We demonstrate two types of attack that use linguistically crafted adversarial input to target vulnerabilities in the handling of speech input by a speech interface. The first attack demonstrates the use of nonsensical word sounds to gain covert access to voice-controlled systems. This attack exploits vulnerabilities at the speech recognition stage of handling of speech input. The second attack demons… Show more

“…They present the results of experimental work showing that it is possible to mislead natural language understanding in third-party applications for Amazon Alexa (known as Skills) by replacing words in target commands or by embedding homophones of target command words in a different sense context so as to create apparently unrelated utterances that are accepted by the system as the target command. In an extended version of the original paper, published in this volume, the authors demonstrate further instances of the latter type of attack on Amazon Alexa Skills as well as on open-source natural language understanding technology RASA NLU (Bispham et al [9]). This type of attack based on embedding homophones of target command words in a different sense context is termed a 'word transplant' attack by the authors.…”

“…The potential of such an approach to defend against attacks on natural language understanding in voice-controlled systems can be trivially demonstrated in the context of the 'word transplant' attacks on natural language understanding in Alexa Skills and RASA NLU using homophones of target command words demonstrated by Bispham et al [9], using the readily available machine translation technology Google Translate. 9 Google Translate uses RNNs for sequence-tosequence mapping of input in one language to output in another language (see Wu et al [54]). Table 2 shows the successful adversarial commands used in the word transplant attacks on natural language understanding in Alexa Skills and RASA NLU demonstrated by Bispham et al and their translation by Google Translate into German.…”

The Security of the Speech Interface: A Modelling Framework and Proposals for New Defence Mechanisms

“…They present the results of experimental work showing that it is possible to mislead natural language understanding in third-party applications for Amazon Alexa (known as Skills) by replacing words in target commands or by embedding homophones of target command words in a different sense context so as to create apparently unrelated utterances that are accepted by the system as the target command. In an extended version of the original paper, published in this volume, the authors demonstrate further instances of the latter type of attack on Amazon Alexa Skills as well as on open-source natural language understanding technology RASA NLU (Bispham et al [9]). This type of attack based on embedding homophones of target command words in a different sense context is termed a 'word transplant' attack by the authors.…”

“…The potential of such an approach to defend against attacks on natural language understanding in voice-controlled systems can be trivially demonstrated in the context of the 'word transplant' attacks on natural language understanding in Alexa Skills and RASA NLU using homophones of target command words demonstrated by Bispham et al [9], using the readily available machine translation technology Google Translate. 9 Google Translate uses RNNs for sequence-tosequence mapping of input in one language to output in another language (see Wu et al [54]). Table 2 shows the successful adversarial commands used in the word transplant attacks on natural language understanding in Alexa Skills and RASA NLU demonstrated by Bispham et al and their translation by Google Translate into German.…”

The Security of the Speech Interface: A Modelling Framework and Proposals for New Defence Mechanisms