Sagar

Researcher: RECAPTCHA can be broken using Speech-to-Text API

Researcher: RECAPTCHA can be broken

Jan 07 2021

RECAPTCHA can be broken using Speech-to-Text

Google’s latest reCAPTCHA v3 is still vulnerable to an early attack method dating back to 2017 that uses voice-to-text to bypass CAPTCHA protection.

A video proof-of-concept of the attack on Jan. 2 by the researcher Nikolai Tschacher has proved this.

CAPTCHA, introduced in 2014, stands for Completely Automated Public Turing Test to distinguished Computers and Humans Apart. ReCaptcha is Google’s own technology and it’s a free service that uses image, audio, or text challenges to verify that it’s a human who is signing into an account. It’s free of charge bit of code available from Google for accounts. Google has recently started charging for larger reCAPTCHA accounts.

The technique used behind the attack is very simple: Get the MP3 file of the audio reCAPTCHA and submit it to Google’s own speech-to-text API. Now Google will return the correct answer is almost 97 percent of all cases, as the evidence suggests.

The report includes a video showing evidence of how Tschacher’s bot works. He added that this method of attaching works on even the latest version, reCAPTCHA v3.

Tschacher pointed measures against which this bot wouldn’t be easy to exploit at scale. There are three specific reasons: Google rate-limits audio CAPTCHA access; Google is expected tracking bot metrics; and, it creates a fingerprint of each browsing device to stop bots.

In the Future CAPTCHAs will be replaced by passive AI that collects all kinds of data to constantly determine the browsing signal appears to be human or not. With the developments of advanced AI, the Turing Test will be easily solved in the upcoming future. The deciding attributes will be browsing fingerprint, JavaScript user interaction events like cursor movement, key presses, and IP-address metadata.”, as pointed out by Tschacher.

The idea of attack using speech-to-text against CAPTCHA protection was introduced in 2017 by researchers at the University of Maryland, according to the “85 percent accuracy is achieved”. The tech they dubbed as “UnCAPTCHA.”

Google responded to UnCAPTCHA with the latest reCAPTCHA with improved browser automation detection and the use of spoken phrases instead of numbers. But by June 2018 it was found by researchers that the latest reCAPTCHA was easier to trick than its predecessor.

According to the report after the reCAPTCHA bug was reported to Google in June 2018, and they okayed the release of the unCAPTCHA2 code.

UnCAPTCHA2, also like the original version, is meant to be a PoC, the report’s disclaimer said. It is not expected to work in the future, as Google updates its service, this repository will not be updated. Due to this, it is likely to break at any time.”

Now with unCAPTCHA3: a Tschachers’ version, with which he can achieve a 97 percent success rate, instead of the original 85 percent reported back in 2017.

Is CAPTCHA Secure?

According to Dirk Schrader, a global vice president with New Net Technologies, there isn’t a ready replacement for the widespread replacement of CAPTCHAs and the reality is that no single technology can replace good cybersecurity controls.

No technology, and no application, is safe forever. He added that CAPTCHA has been so far a reliable tool in separating machines from humans and might just need a bit of tweaking to keep up.

TSchrader said. “CAPTCHA has long been seen as an ache, however so far has proven to be a fairly decent tool to distinguish human from machine interaction.”