A few days ago I had to make a phone call and on the other end of the line was some machine using some voice recognition software to validate the customers spoken answers to the service menu. I asked myself if it would be possible to fuzz this kind of input with some kind of random generated noise files or such? In the end the software analyzes the customer's voice by some heuristics or some machine learning system or such.
Asked
Active
Viewed 456 times
1 Answers
5
The paper above gives some explanation of an audit of such a system. The first place they start is by using an API to automate the calls (skype in this case), and working on fuzzing the DTMF based interface. It seems like few of these systems are purely voice recognition based, and that many exploits can be found just by automating the touch tone bits.
http://www.securitytube.net/video/4255
also has some information on breaking such a system.
So for 1) You don't necessarily have to fuzz the voice directly.
Now, if you decided that had to fuzz voice, I don't think there is a library in existence that will do it for you. I would start with a dictionary of recorded words - perhaps http://shtooka.net/ - and write a script to play likely combinations of words. You would use the skype api to make the call, and then play the sentences you came up with to test the system.
It might also be profitable to shoot random noises / sine tones at the system. You might find some kind of testing frequency that opens up the system like the old phone phreaks used to do. There are literally tons of programs that will help you script up testing tones. You could even write that part in javascript with the web Audio API if you like.
Then, you might want to use voice recognition software to detect the failures and successes.
None of this will be possible without you thoroughly mapping out the system before hand. The testing plan I linked above suggests that, and I think that's where you should start.
MrSynAckSter
- 2,020
- 10
- 16