A lot of websites these days force us to prove we aren’t robots before we log in to our accounts, and we often feel like we’re going to absurd lengths just to see our stuff. But Completely Automated Public Turing test to tell Computers and Humans Apart or CAPTCHAs, protect our information from bots exploiting our information because they are only readable by humans. Well, at least usually.
According to Vice’s Motherboard, researchers at the University of Maryland developed a method called unCaptcha that can trick one of the most popular versions of CAPTCHA, Google’s reCaptcha, into thinking that bots are real people. It does so by using Google’s own free speech-to-text service.
By using the speech-to-text service, unCaptcha downloads the audio captcha, segments the audio into individual digit audio clips and uploads the segments to several speech-to-text services, including Google’s. The system then guesses what the digits the audio might represent through exact and near homophones and chooses which sequence of digits to enter based on the most popular answer among the difference speech-to-text services.
In 2017, the researchers released the original unCaptcha, which had an 85% success rate, to which Google responded by improving browser automation detection and switching to spoken phrases, rather than digits, to render that version useless. But unCaptcha came back even stronger, with its 2018 version boasting a 90% success rate.
Finding ways to penetrate the most successful security barriers is the best way to force innovation in cybersecurity. As researchers find ways to break down security through things like reverse-image searches, deep learning, and “experimental neuroscience data,” companies are forced to ramp up their security efforts.
Google seems unconcerned with this new development. “We have been in contact with the ReCaptcha team for over six months and they are fully aware of this attack,” write the researchers. “The team has allowed us to release the code, despite its current success.”