

Subject: New Applications of Voice Recognition Technologies

 
One of our local NPR (WBUR) stations had, in its morning news report, a story
about a company that was developing a new twist in the application
of voice recognition technologies. [I don't include the name of the company
as I wasn't taking notes, and wouldn't want to needlessly slur the
wrong company, or even the right one by my errors of recollection.]

Their goal is to develop a system that would be able to recognize not the
words, but who the speaker is. The applications they envision would include
control of parolees and those under house arrest, as well as the replacement
of PINs. This is how they envision their system working:

o The person who is to be monitored goes physically to the office
  doing the monitoring and records a set of words.
o When the time comes for the person to be monitored to report in,
  they make a phone call to a computer system.
o Caller-ID identifies who is supposed to be calling and
  their alleged physical location.
o The system presents random challenge sentences that include some
  of the words used in step one. (One example: The purple television
  is exciting. "Television" and "exciting" would have been recorded.)
o The system then isolates the pre-recorded words, compares the
  vocal characteristics and identifies the speaker.

Interesting concept. The company was quite proud that they had taken what has
been a serious problem with voice recognition (voices are so different) and
turned it into a technological advantage. It was asserted that a number of
state correctional departments are interested in this as a replacement for
the electronic bracelets that are now sometimes used to monitor house arrest
and that have been discussed at length in RISKS.

The news report indicated that this system would be secure, as the comparison
of vocal characteristics is not fooled by normal voice mimicry. It was also
felt that, while parolees, for example, could be compelled to speak silly
meaningless sentences into the phone, it might not be possible to do this
generally so as to replace PINs.

This system seems so easy to defeat that I feel I must be missing something.
When you go to record your words, bring your own micro-cassette recorder
so that you've got an accurate list of the challenge words. Record and
digitize them in your home personal computer. When time comes to report
in, have your computer call their computer. Their challenge system seems
quite structured (it already knows who you are supposed to be from the
caller ID), so program your machine to wait for the challenge sentences.
Recognize the right words from the list of the ones you've prerecorded,
and synthesize a response based on replaying the challenge sentence,
inserting your prerecorded words as necessary.

This technology is likely not within the reach of  your average parolee, but
should this system be used to authorize large financial transfers, the risk
of fraud should be obvious.

Saul Tannenbaum, Manager, Scientific Computing        
STANNENB@HNRC.TUFTS.EDU
USDA Human Nutrition Research Center on Aging at Tufts University

                 ----------------

I can tell you one very simple way to defeat this system: Call
Forwarding.  Basically, when you forward a call, it's as though there
were two calls placed, one from the originating phone to the called
phone, and one from the called phone to the number the call is
forwarded to.  For example, if you forward calls from your phone to a
number that's a toll call for you, you'll pay the toll charge on the
call, and that's true even if the number you forward to would be in
the local calling area of the person trying to call you.  In effect,
the caller would pay the toll charge for a call from his phone to
yours, and you'd pay the charge for the call from your phone to
wherever you're forwarding to.

Now let's say that your friendly neighborhood drug dealer is under
house arrest using this system, and he's required to call in every
four hours.  No problem.  He hires a neighborhood kid to sit by his
phone, and at the appropriate time, he calls home and has the kid set
up call forwarding to the automated system at the parole office (a
computerized system could also be set up to do this, but I'm
deliberately keeping this scenario as low-tech as possible).  Then he
calls his home number again, the call is forwarded, and the Caller-ID
captures the number that the call was forwarded from, rather then the
location that Mr. Dealer is really at.  He could be anyplace in the
world that has reliable telephone connections back to the United
States, using this system!  For that matter, he could be on a cellular
phone walking down the street or tooling down the highway!  Some
arrest, eh?

And, of course, it wouldn't work any better if the parole office
computer calls him.  In fact, it might make things easier, since he
could just call-forward the call to his portable cellular phone or a
phone at whatever location he's at.

So, either something's missing in the description of the operation of
this system, or it was designed by folks who have no understanding of
how the telephone system operates.

Personally, I would not consider ANY system that depends upon a
telephone line originating or terminating at a particular location as
particularly secure.  I certainly would never want to see such a
system used for anyone guilty of any sort of felony violation!