In (Cyber)Space Bots Can Hear You Speak: Breaking Audio CAPTCHAs Using OTS Speech Recognition

Captchas have become almost ubiquitous as they are commonly deployed by websites as part of their defenses against fraudsters. However visual captchas pose a considerable obstacle to certain groups of users, such as the visually impaired, and that has necessitated the inclusion of more accessible captcha schemes. As a result, many captcha services also offer audio challenges as an alternative. In this paper we conduct an extensive exploration of the audio captcha ecosystem, and present effective low-cost attacks against the audio challenges offered by seven major captcha services. Motivated by the recent advancements in deep learning, we demonstrate how off-the-shelf (OTS) speech recognition services can be misused by attackers for trivially bypassing the most popular audio captchas. Our experimental evaluation highlights the effectiveness of our approach as our AudioBreaker system is able to break all captcha schemes, achieving accuracies of up to 98.3% against Google's ReCaptcha. The broader implications of our study are twofold. First, we find that the wide availability of advanced speech recognition services has severely lowered the technical capabilities required by fraudsters for deploying effective attacks, as there is no longer a need to build sophisticated custom classifiers. Second, we find that the availability of audio captchas poses a significant risk to services, as our attacks against ReCaptcha's audio challenges are 13.1%-27.5% more accurate than state-of-the-art attacks against the corresponding image-based challenges. Overall, we argue that it is necessary to explore alternative captcha designs that fulfill the accessibility properties of audio captchas without undermining the security offered by their visual counterparts.