DolphinAttack or How To Stealthily Fool Voice Assistants

Six researchers from the Zhejiang University published an excellent paper describing DolphinAttack: a new attack against voice-based assistants such as Siri or Alexa. As usual, the objective is to force the assistant to accept a command that the owner of the assistant did not issue. The attack is more powerful if the owner does not detect its occurrence (excepted, of course, the potential consequences of the accepted command). The owner should not hear a recognizable command or even better hear nothing.

Many attacks try to fool the Speech Recognition system by finding characteristics that may fool the machine learning system that powers the recognition without using actual phonemes. The proposed approach is different. The objective is to fool the audio capturing system rather than the speech recognition.

Humans do not hear ultrasounds, i.e., frequencies greater than 20 kHz. Speech is usually in the range of a few 100 HZ up to 5 kHz. The researchers’ great idea is to exploit the characteristics of the acquisition system.

  1. The acquisition system is a microphone, an amplifier, a low-pass filter (LPF), and an analog to digital converter (ADC), regardless of the Speech Recognition system in use. The LPF filters out the frequencies over 20 kHz and the ADC samples at 44.1 kHz.
  2. Any electronic system creates harmonics due to non-linearity. Thus, if you modulate a signal of fm
    with a carrier at fc, in the Fourier domain, many harmonics will appear such as fC – fm, fC + fm¸ and
    fC as well as their multiples.

You may have guessed the trick. If the attacker modulates the command (fm) with an ultrasound carrier fc, then the resulting signal is inaudible. However, the LPF will remove the carrier frequency before sending it to the ADC. The residual command will be present in the filtered signal and may be understood by the speech recognition system. Of course, the commands are more complicated than a mono-frequency, but the system stays valid.

They modulated the amplitude of a frequency carrier with a vocal command. The carrier was in the range 20 kHz to 25 kHz. They experimented with many hardware and speech recognition. As we may guess, the system is highly hardware dependent. There is an optimal frequency carrier that is device dependent (due to various microphones). Nevertheless, with the right parameters for a given device, they seemed to have fooled most devices. Of course, the optimal equipment requires an ultrasound speaker and adapted amplifier. Usually, speakers have a response curve that cut before 20 kHz.

I love this attack because it thinks out of the box and exploits “characteristics” of the hardware. It is also a good illustration of Law N°6: Security is not stronger than its weakest link.

A good paper to read.


Zhang, Guoming, Chen Yan, Xiaoyu Ji, Taimin Zhang, Tianchen Zhang, and Wenyuan Xu. “DolphinAttack: Inaudible Voice Commands.” In ArXiv:1708.09537 [Cs], 103–17. Dallas, Texas, USA: ACM, 2017.


Picture by http: //



Symposium on Foundations and Applications of Blockchain


The University of South California (USC) organizes a   Symposium on Foundations and Applications of Blockchain. Following in the call for paper.

Full disclosure: I am member of the PC


                                           Symposium on Foundations and Applications of Blockchain


9 March 2018, Los Angeles, California



Blockchain – the technology behind Bitcoin and Ethereum – is flourishing into an impressive spectrum of research projects and initiatives, corporate alliances, and startup companies. This multidisciplinary effort spans diverse disciplines ranging from Computer Science and Engineering to Communications, Social Sciences, Public Policy, Banking and Finance, Journalism, and Political Sciences to name a few. This one day event strives to bring researchers and practitioners of blockchain together to share and exchange results. We are interested in papers and presentations on a broad range of topics including:

  • Application use cases of blockchain
  • Secure smart contracts
  • Bitcoin and cryptocurrency
  • Blockchain for social networking
  • Distributed systems for blockchain
  • Blockchain consensus protocols
  • Blockchain and Governance
  • Blockchains and network systems
  • Partitioned and replicated data stores for blockchain
  • Transactions and blockchain
  • Software engineering practices and life cycle management of blockchain
  • Societal impact and social aspects of blockchain
  • Game theory and its applications to blockchain
  • Blockchain protocol analysis and security
  • Algorithm design, complexity analysis, implementation of efficient blockchains
  • Experience with blockchain


Important Dates:

Dec 15, 2017:  Paper submission Deadline

Feb 5, 2018:  Author notification

March 9, 2018:  One day symposium


Paper submission:

Authors are invited to submit papers through the CMT3 conference submission system by December 15, 2018. Submissions must be original and should not have been published previously or be under consideration for publication while being evaluated for this conference. FAB’18 welcomes long and short papers in four categories:  Research, Industrial, Vision, and Poster.  See the online call for paper for additional details.


General Chair:  Bhaskar Krishnamachari, USC

Program Chair:  Shahram Ghandeharizadeh, USC

Program Committee:

Sumita Barahmand, Microsoft

Yu Chen, State University of New York – Binghamton

Bhagwan Chowdhry, UCLA

Eric Chung, DApperNetwork

Ming-Deh Huang, USC

Eric Diehl, Sony Pictures Entertainment

Abdelkader Hameurlain, Paul Sabatier University, Toulouse, France

Zhiyuan Jiang, Tsinghua University

Lou Kerner, Flight VC

Bhaskar Krishnamachari, USC

Genevieve Leveille, Otentic8

Chen Li, UC Irvine

David MacFadyen, UCLA

Beng Chin Ooi, National University of Singapore

Avinash Sridharan, Mesosphere

Vassilis Tsotras, UC Riverside

Nick Vyas, USC

Li Xiong, Emory University

Kiran Yedavalli, Cisco


Contact Us

In case of questions, please contact us at and

Subliminal images deceive Machine Learning video labeling

Current machine learning systems are not designed to defend against malevolent adversaries. Some teams succeeded already to fool image recognition or voice recognition. Three researchers from the University of Washington fooled the Google’s video tagging system. Google offers a Cloud Video Intelligence API that returns the most relevant tags of a video sequence. It is based on deep learning.

The idea of the researchers is simple. They insert the same image every 50 frames in the video. The API returns the tags related to the added image (with an over 90% high confidence) rather than the tags related to the forged video sequence. Thus, rather than returning tiger for the video (98% of the video time), the API returns Audi.

It has never been demonstrated that subliminal images are effective on people. This team demonstrated that subliminal images can be effective on Machine Learning. This attack has many interesting uses.

This short paper is interesting to read. Testing this attack on other APIs would be interesting.

Hossein, Hosseini, Baicen Xiao, and Radha Poovendran. “Deceiving Google’s Cloud Video Intelligence API Built for Summarizing Videos.” arXiv, March 31, 2017.


Ben Seri and Gregory Vishnepolsky from the society armis recently disclosed eight vulnerabilities present in various BlueTooth stacks. Their paper “The dangers of Bluetooth implementations: Unveiling zero day vulnerabilities and security flaws in modern Bluetooth stacks” thoroughly describes these vulnerabilities and derives some interesting lessons.

Some vulnerabilities may allow taking control of the Bluetooth device. These exploits do not need the target to be in discoverable mode. They just need to know the Bluetooth MAC address (BDADDR). Contrary to common belief, it is guessable even for non-discoverable devices. If the target generates Bluetooth traffic, then it BDAADR is visible in the access code. If it is not generating traffic, the widely accepted convention to use the same MAC address for Wifi than for Bluetooth may reveal it.

Once the attacker knows the BDADDR, he can use the exploits. One powerful vulnerability is due to some lack of implementation guidelines in the specifications for the “Just Works” authentication. For Android and Windows, if the attacker claims to be “No Input No output, No Man in the middle protection required and no bonding,” the target stealthily accepts the connection with limited security capabilities for a short period of time (due to the no bonding). Of course, any service that would require MiTM protection or bonding, and verifies the requirement, will refuse to operate over such connection. For Apple, the connection requests a validation by the user.

Once the attacker is linked to the unknowing target, it can try many attacks. My preferred ones are CVE-2017-0783 and CVE-2017-8628. They use a flaw in the specification of the Personal Area Network (PAN). This service has a low-level security requirement. This means that the previous attack grants access to the PAN without any authorization! The attacker can mount a pineapple attack over Bluetooth without the target being aware. In a Wifi Pineapple, the attacker impersonates an already known WIFI public network and can act as a man in the middle. In this case, the pineapple does not need to be a known network. Redoutable.

The PAN specification dated from 2003 and was never since revised. “Just works” and the newer authentication protocols were specified more recently. They changed the trust model and trust context. The older specifications were not analyzed to identify potential impacts.

The other vulnerabilities allow either buffer overflows or data leakage by exploring more than the attributed spaces.

The disclosure was part of a coordinated disclosure with Google, Microsoft, and Linux kernel team.

Conclusion: Verify that you installed the August and September security patches for your devices. They contain patches to these vulnerabilities.


French users seem aware of the risks and threats of illicit sites

The French HADOPI recently published an interesting paper “Etude sur les risques encourus sur les sites illicites,” i.e., a study on the risks incurred on illegal sites. They polled 1,021 Internet users older than 15. The first part of the study analyses the reported use of so-called illicit sites. The second part checks the awareness of these users of the associated risks.

The first part is very conventional and shows information that was already known for other markets. The results are neither surprising nor widely deviating from other countries. For instance, without surprise, the younger generations use more illicit sharing sites than the oldest ones.

Figure extracted from the report. In black, my proposed translation.

Music, movies and TV shows are the categories that are the most illicitly accessed.

The second part is more interesting than the first one. Most polled users claim to know the threats of Internet (scareware, spam, the slowdown of computer due to malware, adult advertisement, and change of browser’s settings) as well as the issues (theft of banking account, identity theft, scam, or ransomware). Nevertheless, the more using illicit content, the higher the risk of nuisance and prejudice. Not surprisingly, 60% of consumers who stopped using illicit content suffered at least on serious prejudice.

Figure extracted from the report. In black, my proposed translation.

Users seem to understand that the use of illicit content seriously increases the risks. Nevertheless, there is a distortion. The nuisance is more associated to illegal consumption than actual real prejudices.

Figure extracted from the report. In black, my proposed translation

The top four motivation of legal users is to be lawful (66%), fear of malware (51%), respect for the artists (50%) and a better product (43%). For regular illicit users, the top three motivation to use legal offer is a better quality (43%), fear of malware (42%) and being lawful (41%). 57% of illicit users claim that they intend to reduce or stop using illegal content. 39% of illicit users announce that they will not change their behavior. 4% of illicit users claim they plan to consume more illicit content.

We must always be cautious with the answers to a poll. Some people may not be ready to disclose their unlawful behavior. Therefore, the real values of illicit behavior are most probably higher than disclosed in the document. Polled people may also provide wrong answers. For instance, about 30% of the consumers is illicitly consuming software claim to use streaming! Caution should also apply to the classification between streaming and P2P. Many new tools, for instance, Popcorn time, use P2P but present a behavior similar to streaming.

Conclusion of the report

Risks are present on the Internet. Illicit users are more at risk than lawful users.

Users acknowledge that illicit consumption is riskier than legal consumption.

Legal offer is perceived as the safe choice.

Having been hit by a security problem pushes users towards the legal offer.

An interesting report, unfortunately, currently it is only available in French.



Law 9 – Quis custodiet ipsos custodes?

This post is the ninth post in a series of ten posts. The previous post explored the eighth law: If You Watch the Internet, the Internet Is Watching You. This Roman sentence from poet Juvenal can be translated as “Who will guard the guards themselves?” Every element of a system should be monitored. This also includes the monitoring functions. As often some parts of the security model rely on the detection of anomalies, it is key that this detection is efficient and faithful.

Any security process should always have one last phase that monitors the efficiency of the implemented practices. This phase creates the feedback loop that regulates any deficiency or inefficiency of the security process. The quality and probity of this last phase have a strong influence on the overall robustness of the security. For instance, the COBIT framework has one control point dedicated to this task: ME2 – monitor and evaluate internal control.

The beauty of Bitcoin’s model is that every user is the ward that surveys the other users. The Bitcoin system assumes that a majority of users will operate faithfully. The Proof Of Work is the consensus mechanism that enforces, in theory, this assumption. Mining is costly and managing the majority of the hashing power may be impossible for one actor. This assumption may be questionable with new cryptocurrencies that do not have a significant number of users and with the advent of mining pool.

Separate the roles; Divide and Conquer. The scope of controlling and managing roles should be kept as small as possible. Guards should have a limited scope of surveillance and restricted authority. This reduces the impact of a malicious insider or the influence of an attacker who hijacked an administrator or controller account. Where possible, the scope of roles should partly overlap or be redundant between several individuals. This trick increases the chances to detect an error or a mischief from an insider as success would require collusion.

For instance, reduce the scope of system administrators as they have the keys to the kingdom. Nobody should have all the keys of the kingdom. After the Snowden incident, NSA drastically reduced the number of its system administrators.

Read the logs; logfiles are an essential element for monitoring and auditing the effectiveness of the security. They will be useful to detect and understand security incidents. Nevertheless, their optimal efficiency is reached only when they are regularly analyzed to detect anomalies. Ideally, they have to be proactively analyzed. Applying only a-posteriori log analysis is a weak security stance. Logfiles are not to be used only for forensics purpose.

If you find this post interesting, you may also be interested in my second book “Ten Laws for Security.”  Chapter 10 explores in details this law. The book is available for instance at Springer or Amazon.