Software Attacks Software in Security Wars
Recent research is suggesting that Google's audio capture is the latest in a string of CAPTCHAs to have been defeated by software.
A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), is the squiggly hard to read letters that many sites now have you enter to prove you are human.
Image CAPTCHAs for Google, Windows Live, and Yahoo! have been broken in recent months, and is believed to account for the increasing levels of spam that are coming from webmail services that those companies provide.
It has been theorized that one cost-effective means of breaking audio captures and image captures that have not yet had automated systems developed is to use a mechanical turk and pay low rates for per-CAPTCHA reading by humans, or provide another form of motivation such as access to adult sites for reading the CAPTCHA. However, it always required a significant level of resources to achieve.
The development of software to automatically interpret CAPTCHAs brings up a number of problems for site operators -- in particular, software that can rapidly interpret the tests effectively negates any barrier to entry that the CAPTCHA once represented.
Audio CAPTCHAs are a means to allow vision-impaired Internet users access to site areas that they would otherwise be denied to. Much like the image counterparts, audio CAPTCHAs apply distortion to a set of numbers or letters that are read out in a small audio file. The idea is that a human is able to efficiently disregard the distortion and interpret the characters being read out while software would struggle with the distortion being applied, and need to be effective at speech to text translation in order to be successful.
The problem, as discovered by Wintercore Labs and published at the start of March is that there are repeatable patterns evident in the audio file and by applying a set of complex but straight forward processes, a library can be built of the basic signal for each possible character that can appear in the CAPTCHA.
Wintercore point to other audio CAPTCHAs that could be easily reversed using this technique, including the one for Facebook. The wider impact of this work might take some time to appear, but it provides an interesting proof of breaking audio CAPTCHAs. At the least, it shows that both of Google's CAPTCHA tools have now been defeated by software and it should only be a matter of time until the same can be said for Microsoft and Yahoo!'s offerings. Even with an effectiveness of only 90%, any failed CAPTCHA can easily be reloaded for a second try.
Even though Wintercore have declined to release their tool, the increasing awareness of the capabilities described should see competing tools emerge in the near future.
Advertisement: Learn about storing and securing your data before disaster strikes.