Smart software cracks sound-based CAPTCHA security

Efforts to make the web more accessible have unwittingly made it less secure, according to computer scientists who have developed software to crack the audio CAPTCHAs used by websites as part of their sign-up process.

You're probably familiar with traditional CAPTCHAs, the obscured words used to verify that a new user is a person rather than a bot, but the image-based security measure is difficult for visually impaired people to use. To help such users websites also offer audio CAPTCHAs, in which a computerised voice reads out letters or digits distorted by noise, but their security hadn't been as extensively studied as the visual versions.

Now, researchers have used software called Decaptcha to crack commercial audio CAPTCHAs used by eBay, Microsoft, Yahoo and others, with success rates from 41 to 89 per cent. The system known as reCAPTCHA - developed by the original inventors of the CAPTCHA and now owned by Google - was more resilient to attack, with only 1.5 per cent of CAPTCHAs broken. Even such a low success rate renders audio CAPTCHAs useless, as an attacker in control of a large botnet of infected computers can easily afford to make 100 attempts for every successfully created account.

Decaptcha uses a number of audio-processing techniques to remove noise and identify the individual digits in an audio CAPTCHA. The software has to be trained for 20 minutes on each type of CAPTCHA and can then solve tens of CAPTCHAs per minute on an ordinary desktop computer.

The researchers say their techniques leave most modern audio CAPTCHAs unusable, and alternatives must be developed. Decaptcha struggles only with CAPTCHAs that include semantic noise, which are sounds that share characteristics with spoken digits such as music or vocal tracks. For example, reCAPTCHA uses background conversations to obscure the digits, making it hard for the software to pick them out.

Humans can also find these CAPTCHAs difficult to understand, however, which means reCAPTCHA has a high failure rate. The researchers suggest using music rather than vocal tracks could create CAPTCHAs that are still hard for Decaptcha but easier for humans, because we can tune in to the correct sounds. They presented their work yesterday at the IEEE Symposium on Security and Privacy in Oakland, California.