SUAD: Solid-Channel Ultrasound Injection Attack and Defense to Voice Assistants

• URL: http://arxiv.org/abs/2508.02116v1
• Date: Mon, 04 Aug 2025 06:51:36 GMT
• Title: SUAD: Solid-Channel Ultrasound Injection Attack and Defense to Voice Assistants
• Authors: Chao Liu, Zhezheng Zhu, Hao Chen, Zhe Chen, Kaiwen Guo, Penghao Wang, Jun Luo,
• Abstract summary: We propose nameAttack, a long-range, cross-barrier, and interference-free inaudible voice attack via solid channels.<n>We also propose SUAD Defense, a universal defense that uses ultrasonic perturbation signals to block inaudible voice attacks.<n>Experiments on six smartphones have shown that SUAD Attack achieves activation success rates above 89.8% and SUAD Defense blocks IVAs with success rates exceeding 98%.
• Score: 13.659193709119407
• License: http://creativecommons.org/licenses/by-sa/4.0/
• Abstract: As a versatile AI application, voice assistants (VAs) have become increasingly popular, but are vulnerable to security threats. Attackers have proposed various inaudible attacks, but are limited by cost, distance, or LoS. Therefore, we propose \name~Attack, a long-range, cross-barrier, and interference-free inaudible voice attack via solid channels. We begin by thoroughly analyzing the dispersion effect in solid channels, revealing its unique impact on signal propagation. To avoid distortions in voice commands, we design a modular command generation model that parameterizes attack distance, victim audio, and medium dispersion features to adapt to variations in the solid-channel state. Additionally, we propose SUAD Defense, a universal defense that uses ultrasonic perturbation signals to block inaudible voice attacks (IVAs) without impacting normal speech. Since the attack can occur at arbitrary frequencies and times, we propose a training method that randomizes both time and frequency to generate perturbation signals that break ultrasonic commands. Notably, the perturbation signal is modulated to an inaudible frequency without affecting the functionality of voice commands for VAs. Experiments on six smartphones have shown that SUAD Attack achieves activation success rates above 89.8% and SUAD Defense blocks IVAs with success rates exceeding 98%.

Related papers

• RoVo: Robust Voice Protection Against Unauthorized Speech Synthesis with Embedding-Level Perturbations [5.777711921986914]
  We propose RoVo, a novel proactive defense technique that injects adversarial perturbations into high-dimensional embedding vectors of audio signals.<n>RoVo effectively defends against speech synthesis attacks and also provides strong resistance to speech enhancement models.<n>A user study confirmed that RoVo preserves both naturalness and usability of protected speech.
  arXiv  Detail & Related papers  (2025-05-19T04:14:58Z)
• Mitigating Backdoor Triggered and Targeted Data Poisoning Attacks in Voice Authentication Systems [4.856070170902535]
  We propose a unified defense framework that effectively addresses both BTA and TDPA.<n>Our framework integrates a frequency focused detection mechanism that flags covert pitch boosting and sound masking backdoor attacks in near real time.<n>Our framework reduces attack success rates to as low as five to fifteen percent while maintaining a recall rate of up to ninety five percent in recognizing TDPA.
  arXiv  Detail & Related papers  (2025-05-06T11:52:12Z)
• Deep Active Speech Cancellation with Mamba-Masking Network [62.73250985838971]
  We present a novel deep learning network for Active Speech Cancellation (ASC)<n>The proposed Mamba-Masking architecture introduces a masking mechanism that directly interacts with the encoded reference signal.<n> Experimental results demonstrate substantial performance gains, achieving up to 7.2dB improvement in ANC scenarios and 6.2dB in ASC.
  arXiv  Detail & Related papers  (2025-02-03T09:22:26Z)
• NUANCE: Near Ultrasound Attack On Networked Communication Environments [0.0]
  This study investigates a primary inaudible attack vector on Amazon Alexa voice services using near ultrasound trojans. The research maps each attack vector to a tactic or technique from the MITRE ATT&CK matrix. The experiment involved generating and surveying fifty near-ultrasonic audios to assess the attacks' effectiveness.
  arXiv  Detail & Related papers  (2023-04-25T23:28:46Z)
• Ada3Diff: Defending against 3D Adversarial Point Clouds via Adaptive Diffusion [70.60038549155485]
  Deep 3D point cloud models are sensitive to adversarial attacks, which poses threats to safety-critical applications such as autonomous driving. This paper introduces a novel distortion-aware defense framework that can rebuild the pristine data distribution with a tailored intensity estimator and a diffusion model.
  arXiv  Detail & Related papers  (2022-11-29T14:32:43Z)
• Push-Pull: Characterizing the Adversarial Robustness for Audio-Visual Active Speaker Detection [88.74863771919445]
  We reveal the vulnerability of AVASD models under audio-only, visual-only, and audio-visual adversarial attacks. We also propose a novel audio-visual interaction loss (AVIL) for making attackers difficult to find feasible adversarial examples.
  arXiv  Detail & Related papers  (2022-10-03T08:10:12Z)
• Perceptual-based deep-learning denoiser as a defense against adversarial attacks on ASR systems [26.519207339530478]
  Adversarial attacks attempt to force misclassification by adding small perturbations to the original speech signal. We propose to counteract this by employing a neural-network based denoiser as a pre-processor in the ASR pipeline. We found that training the denoisier using a perceptually motivated loss function resulted in increased adversarial robustness.
  arXiv  Detail & Related papers  (2021-07-12T07:00:06Z)
• Towards Robust Speech-to-Text Adversarial Attack [78.5097679815944]
  This paper introduces a novel adversarial algorithm for attacking the state-of-the-art speech-to-text systems, namely DeepSpeech, Kaldi, and Lingvo. Our approach is based on developing an extension for the conventional distortion condition of the adversarial optimization formulation. Minimizing over this metric, which measures the discrepancies between original and adversarial samples' distributions, contributes to crafting signals very close to the subspace of legitimate speech recordings.
  arXiv  Detail & Related papers  (2021-03-15T01:51:41Z)
• Cortical Features for Defense Against Adversarial Audio Attacks [55.61885805423492]
  We propose using a computational model of the auditory cortex as a defense against adversarial attacks on audio. We show that the cortical features help defend against universal adversarial examples.
  arXiv  Detail & Related papers  (2021-01-30T21:21:46Z)
• WaveTransform: Crafting Adversarial Examples via Input Decomposition [69.01794414018603]
  We introduce WaveTransform', that creates adversarial noise corresponding to low-frequency and high-frequency subbands, separately (or in combination) Experiments show that the proposed attack is effective against the defense algorithm and is also transferable across CNNs.
  arXiv  Detail & Related papers  (2020-10-29T17:16:59Z)
• Class-Conditional Defense GAN Against End-to-End Speech Attacks [82.21746840893658]
  We propose a novel approach against end-to-end adversarial attacks developed to fool advanced speech-to-text systems such as DeepSpeech and Lingvo. Unlike conventional defense approaches, the proposed approach does not directly employ low-level transformations such as autoencoding a given input signal. Our defense-GAN considerably outperforms conventional defense algorithms in terms of word error rate and sentence level recognition accuracy.
  arXiv  Detail & Related papers  (2020-10-22T00:02:02Z)
• Defense for Black-box Attacks on Anti-spoofing Models by Self-Supervised Learning [71.17774313301753]
  We explore the robustness of self-supervised learned high-level representations by using them in the defense against adversarial attacks. Experimental results on the ASVspoof 2019 dataset demonstrate that high-level representations extracted by Mockingjay can prevent the transferability of adversarial examples.
  arXiv  Detail & Related papers  (2020-06-05T03:03:06Z)
• Detecting Audio Attacks on ASR Systems with Dropout Uncertainty [40.9172128924305]
  We show that our defense is able to detect attacks created through optimized perturbations and frequency masking. We test our defense on Mozilla's CommonVoice dataset, the UrbanSound dataset, and an excerpt of the LibriSpeech dataset.
  arXiv  Detail & Related papers  (2020-06-02T19:40:38Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.