MITRE Technology Lets You Use Your Voice to Protect Mobile DevicesDecember 2014
Topics: Human Language Technology, Biometrics, Machine Learning, Information Privacy, Information Security Technologies, Wireless Communications
What if you could use your own voice to lock and unlock your mobile device? A voice-based authentication that offers multi-factor protection measures such as physical characteristics of one's vocal cord and the speaker's articulatory behavior, as well as knowledge of the spoken password, would probably make you pretty confident that your data was well protected.
But it shouldn't. What if someone was sitting behind you, secretly taping you as you spoke your passphrase into the phone? Moments later, when you left your phone unattended, this person might grab it and unlock it by playing back the recorded passphrase. Soon enough he could have worked his way into your checking account or downloaded some malware for you to "share" with your company network. How safe is your data now?
MITRE's Qian Hu, chief scientist of speech technology, is tackling this very real problem. She and her team have been experimenting with speech technology as a security mechanism against cyber-attacks originating from mobile devices. The need for improved defense of mobile devices has soared as more and more business, government, and personal activities are moving off main networks and onto smartphones, PDAs, and tablets.
Is It Live or Is It a Hacker's Trick?
Lost or stolen mobile devices are notoriously difficult to protect. Traditional authentication measures, such as typed-in passwords or screen-pattern matches, are easily stolen or hacked. In contrast, security mechanisms based on biometric authentication could provide a powerful alternative. Biometrics are unique personal physical characteristics, such as face, retina, fingerprints, and voice, that are not easily reproduced or compromised—at least not in theory.
Voice authentication could become a safe and convenient method to ensure that a mobile device is only accessible by its rightful owner—if it weren’t so routinely duped by the hacking ploy of playback, one of today's most common and prolific presentation attacks for voice authentication.
"Voice is a convenient modality for authentication, because there's no typing of hard-to-remember passwords," Hu says. "A user can choose a phrase that's meaningful and easy to remember [by the user] as a voice password. It's more secure because it provides a multi-factor biometric authentication. But what's critical is the detection piece. We have to be able to distinguish a live voice from a recording. Today, there is a gap in the commercial marketplace for the capability."
Finding Your Real Voice
Hu's talented, interdisciplinary team—comprising a speech technologist, a digital signal processing researcher, a database engineer, and a mobile computer engineer—has filled that gap. They analyzed thousands of voice samples, both playback recordings and live ones from various recording and playback devices. The team then developed algorithms that can differentiate live voice from playback recordings using mobile devices with high accuracy.
The resulting prototype software is called Biometrics-Based User Authentication on Mobile Devices, or BioBAM. It works on an Android platform performing voice authentication for access control and continuous authentication either by time or by applications that the user selects to have high security protection with voice authentication. MITRE has filed a patent application for Systems and Method for Biometrics-Based Authentication via Voice.
The project team, funded by MITRE's independent research and development program, has been showcasing its work directly to relevant MITRE sponsors who have a need for this technology. They are also sharing their discoveries at conferences in an effort to advance the state of the art in biometrics-based user authentication.
There has been significant interest in BioBAM from both government sponsors and industry. MITRE has made the technology available for licensing. Hu and her team are talking to interested organizations about the best way to transfer their work and make it available to MITRE sponsors to enhance mobile computing and cybersecurity.
"This team has demonstrated a deep commitment to working on some of our customers' most challenging problems," says Barry Costa, director of MITRE's Technology Transfer Office. "These researchers have developed a technology that, once licensed, will allow both our customers and commercial industry to buy a supported, cost-effective commercial product that incorporates cutting edge MITRE voice authentication technology. This is truly a great example of working in the public interest."
Additional Biometric Security Measures on the Horizon
Hu and her team also wanted to find other ways to protect an unlocked mobile device or workstation that is stolen or left unattended—as additional security. They developed a continuous monitoring function for mobile devices that can be time-based, application-specific, or both. For example, a BioBAM user sets up the system to provide recurring screen prompts for a range of time intervals, such as every 15 minutes. Likewise, users can select specific applications for which they want the added protection of a security prompt.
Going forward, Hu's team will be working on integrating other biometric modalities, such as facial recognition and fingerprints, into BioBAM to further enhance security. Their hope is that protecting access to a device, workstation, or even physical facilities by authenticating live vocal passphrases, fingerprints, and facial structure will prove daunting to even the most advanced and persistent attackers.
"Qian Hu and her team have leveraged decades' worth of experience in speech technology and cybersecurity to deliver a secure identity solution that will enhance the integrity of mobile devices in the public interest," notes Mark Maybury, MITRE vice president and chief technology officer.
—by Twig Mowatt and Beverly Wood