Hacking reCaptcha

reCaptcha is the captcha by Google.  The hacking team DefCon 949 (DC949) disclosed at the conference LayerOne their method to break captcha.  The astonishing, announced accuracy is 99%.  Some interesting lessons from this hack

  • The method to break reCaptcha attacked the audio part. Normally, reCaptcha proposes challenges coming from altered scanned words from books, and you have to write them.  Thus, it should have  a large samples of challenges.  The trick: reCaptcha has a mode for visually impaired people.  The challenge is now audio with words on noisy background.  The vocabulary is limited to 58 words, and the background is a mix of a limited number of audio sequences.  Thus, there were far less audio challenges than visual challenges.  Thus, the attackers went against the easiest challenge.  As a cryptography metaphor, they had the choice between a large key or a small key for the same final result.
    A nice illustration of law 6: “Security is not stronger than its weakest link”.   Audio challenge was the weakest link.
  • Before the conference, Google updated its algorithms, thus defeating he hack.  This spoiled a little bit the presentation. Nevertheless, it removed nothing to the quality of the attack.  When reading blogs coverage, I had sometimes the feeling that some people thought that it was unfair behavior.  No!  It is the right thing to do.  It is always a cat and mouse game.  The mouse has to run fast.

The presentation is available on youTube

Leave a Reply

Your email address will not be published. Required fields are marked *