WearID: Securing Your VA To Your Voice

Virtual Assistants such as Alexa and Siri are extremely useful and convenient, however that convenience opens up potential vulnerabilities and threats. The one that usually comes to mind is privacy, and the VA makers stress the steps they take to address this. However there’s another, simpler, threat that’s often overlooked: unwanted voice commands.

The emphasis on VA voice recognition is to make it a wide as possible so that it will understand most of what you say. It can usually understand most muffled commands – possibly even ones spoken from outside the room.

If a bad actor gave commands to your VA without your knowledge, what could they do? Results could range from mildly annoying ‘pranks’ (maybe Rickrolling or making all the smart lights in the house flash) to severly disruptive actions such as setting a loud alarm for 3am. Potentially, the bad actor could even compromise your network or home security.

To address these potential exploits, Yingying Chen, a Rutgers professor of electrical and computer engineering, ad colleagues have created WearID. The idea behind WearID is to verify the identify of the speaker before a command is obeyed:

When someone issues a command to a voice assistant, the WearID app, which is installed on the user’s smartphone or wearable device, uses the device’s accelerometer to capture the vibration characteristics of the person speaking and compare them with the audio captured by the voice assistant’s microphone.

If a legitimate user has given the command, the spectral pattern between the vibration and audio domains will be similar. If the pattern doesn’t match, the voice assistant will ignore the prompt.

According to a 2020 paper, WearID “can verify voice commands with 99.8% accuracy in the normal situation and detect 97.2% fake voice commands from various attacks, including impersonation/replay attacks and hidden voice/ultrasound attacks.”

As the range of voice activated smart devices grows, the potential for voice attacks will become greater. It’s hoped that WearID will be on the market in 2023.