January 14, 2019 By Shane Schick 2 min read

University of Maryland researchers warn that with limited resources, threat actors could launch a successful cyberattack on Google’s bot-detecting reCaptcha service.

In an academic paper detailing their findings, the researchers discuss how they created a tool called unCaptcha, which uses audio files in conjunction with artificial intelligence (AI) technologies such as speech-to-text software to bypass the Google security mechanism.

Over more than 450 tests, the unCaptcha tool defeated reCaptcha with 85 percent accuracy in 5.42 seconds, on average. This study proved that threat actors could potentially break into web-based services, pursue automated account creation and more.

How Researchers Got Around reCaptcha

Online users will recognize reCaptcha as a small box that appears on many websites when signing up or logging in to digital services. Website visitors are typically asked to solve a challenge to prove they’re human, whether it’s typing in letters next to a distorted rendering of the letters, answering a question or clicking on images.

In this case, the University of Maryland researchers took advantage of the fact that Google’s system offers an audio version of its challenges for those who may be visually impaired. The attack method involved navigating to Google’s reCaptcha demo site, finding the audio challenge and downloading it, then putting it through a speech-to-text engine. After an answer had been parsed, it could be typed in and submitted.

While Google initially responded by creating a new version of reCaptcha, the researchers did the same thing with unCaptcha and were even more successful. In an interview with BleepingComputer, one of the researchers said the new version had a success rate of around 91 percent after more than 600 attempts.

Securing the Web Without CAPTCHAs

The research paper recommends a number of possible countermeasures to a tool such as unCaptcha, including broadening the sound bytes of reCaptcha audio challenges and adding distortion. CAPTCHAs are far from the only option available to protect digital services, however.

IBM Security experts, for example, discussed the promise of managed identity and access management (IAM), which allows organizations to not only protect online services with additional layers of security, but also have a third party deal with operational chores such as patching and resolving upcoming incidents. If a group of academics can automate attacks on CAPTCHA systems this successfully, it may be time for security leaders and their teams to look for something more sophisticated.

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today