Skip to Main Content

Google's Audio CAPTCHA Cracked

Security firm Wintercore has come up with a smart breakthrough: analysis and automated cracking of audio CAPTCHAs. Google's is the first to fall.

By PCMag Staff
May 5, 2008
So much attention is paid to cracking graphical CAPTCHAs, and a lot of progress has been made in that field.

Now Wintercore has come up with a smart breakthrough: analysis and automated cracking of audio CAPTCHAs.

From early on it was noticed that graphical CAPTCHAs present a problem for the sight-impaired (what we would have called "blind" a few years ago). Out of common decency and perhaps to avoid legal problems for their products and services being inaccessible to the disabled, many CAPTCHA implementers started adding an audio option.

In the case of the GMail signup page, for example, there is a small graphic of the universal disabled symbol of a character in a wheelchair next to the text field for the user to type. The title of the graphic, which would be spoken to a user with accessibility software, is "Listen and type the numbers you hear".

Try it on GMail and listen to the sample. There is a woman's voice speaking numerals with a lot of creepy nonsense voice between the numerals. The nonsense sounds like backwards talking, reminiscent of The Exorcist or I Am The Walrus. Once spoken, the voice says "once again" and the numerals and nonsense repeat. The nonsense is disturbing enough that I suspect many people would have trouble hearing the numerals, but I suppose Google figured they had to do something to impede simple automated analysis.

They didn't do enough. Wintercore did waveform analysis on the audio and noticed that the numeral portions were easily distinguishable from the nonsense parts. The rest is simple pattern recognition. Wintercore wrote a tool which they show a video of on the blog, demonstrating that the audio CAPTCHAs can be cracked with very high reliability, much better than what has been demonstrated with graphical ones.

You'll note that the Wintercore blog is about 2 months old. It didn't get widespread notice until just recently when 0x000000.com, the hacker webzine, picked up on it.

Wintercore ends with advice to Google by pointing out the biggest weaknesses in the CAPTCHA. I wonder whether the device is all that useful, because it sounds to me as if addressing them will make the CAPTCHA even more difficult for a human to understand. The current weak one is not easy.

Originally published on PC Magazine's security blog, Security Watch.