QFA2SR

Official Website for

"QFA2SR: Query-Free Adversarial Transfer Attacks to Speaker Recognition Systems"

(USENIX Security 2023)

QFA2SR against commercial speaker verification APIs

Alice (female) is the enrolled speaker. Bob (male) or Dave (male) is the imposter.

In each text, there are three voices, denoted by X, Y, and Z, from left to right.

X: the enrollment voice of Alice.

Y: the original voice of Bob/Dave.

Z: the corresponding adversarial voice crafted from Y using our attack QFA2SR.

Microsoft Azure/Jingdong accepts X, rejects Y, and accepts Z (indicating a successful attack).

Notice: If you cannot play the audio, please refresh the webpage.

X (enroll voice of Alice) Y (original voice of Bob/Dave) Z (adversarial voice from Y)

TEXT-01: houston we have had a problem

text=1$Alice.wav

text=1$Bob.wav

text=1$Alice$Bob.wav

TEXT-02: apple juice tastes funny after toothpaste

text=2$Alice.wav

text=2$Bob.wav

text=2$Alice$Bob.wav

TEXT-03: you can activate security system now

text=3$Alice.wav

text=3$Dave.wav

text=3$Alice$Dave.wav

TEXT-04: my voice is stronger than passwords

text=4$Alice.wav

text=4$Bob.wav

text=4$Alice$Bob.wav

TEXT-05: be yourself everyone else is already taken

text=5$Alice.wav

text=5$Dave.wav

text=5$Alice$Dave.wav

QFA2SR against voice assistants that support speaker recognition

In each video, we first test whether the assistant can be activated by the enrolled speaker,

then check three times whether the original voice from an imposter can activate the voice assistant,

and finally evaluate three times whether the adversarial voice crafted from the same voice of the imposter can activate the voice assistant.

The answers to the three questions are Yes, No, and Yes, respectively, regardless of the voice assistants, indicating the effectiveness of QFA2SR.

Apple Siri (only activation by QFA2SR)

QFA2SR-against-Apple-Siri-2-with-caption.mp4

Apple Siri (activation by QFA2SR + follow-up attack: read message, circumventing the confidentiality of users' data)

2-enroll+origin+adver_read_msg-2.mp4

Google Assistant (only activation by QFA2SR)

QFA2SR-against-Google-Assistant-en-with-caption.mp4

Google Assistant (activation by QFA2SR + follow-up attack: read message, circumventing the confidentiality of data)

2-enroll+origin+adver_read_msg.mp4

Google Assistant (activation by QFA2SR + follow-up attack: delete all reminders, circumventing the integrity of data)

6-delete_reminders.mp4

TMall Genie (only wrong recognition of identity by QFA2SR)

The narration is highlighted in green, while the translation of speech from Chinese to English is highlighted in red.

QFA2SR-against-TMall-Genie-with-caption.mp4

TMall Genie (wrong recognition of identity by QFA2SR + circumvent voiceprint-based shopping and payment, leading to property damage)

TMall-Genie-Voiceprint-Payment-2.mp4