reCaptcha is the captcha by Google. The hacking team DefCon 949 (DC949) disclosed at the conference LayerOne their method to break captcha. The astonishing, announced accuracy is 99%. Some interesting lessons from this hack
- The method to break reCaptcha attacked the audio part. Normally, reCaptcha proposes challenges coming from altered scanned words from books, and you have to write them. Thus, it should have a large samples of challenges. The trick: reCaptcha has a mode for visually impaired people. The challenge is now audio with words on noisy background. The vocabulary is limited to 58 words, and the background is a mix of a limited number of audio sequences. Thus, there were far less audio challenges than visual challenges. Thus, the attackers went against the easiest challenge. As a cryptography metaphor, they had the choice between a large key or a small key for the same final result.
A nice illustration of law 6: “Security is not stronger than its weakest link”. Audio challenge was the weakest link.
- Before the conference, Google updated its algorithms, thus defeating he hack. This spoiled a little bit the presentation. Nevertheless, it removed nothing to the quality of the attack. When reading blogs coverage, I had sometimes the feeling that some people thought that it was unfair behavior. No! It is the right thing to do. It is always a cat and mouse game. The mouse has to run fast.
The presentation is available on youTube