Threat Modeling and Analysis of Voice Assistant Applications
Voice assistant is an application that helps users to interact with their devices using voice commands in a more intuitive and natural manner. Recently, many voice assistant applications have been popularly deployed on smartphones and voice-controlled smart speakers. However, the threat and security of those applications have been examined only in very few studies. In this paper, we identify potential threats to voice assistant applications and assess the risk of those threats using the STRIDE and DREAD models. Our threat modeling demonstrates that generic voice assistants can potentially have 16 security threats. To mitigate the identified threats, we also discuss several defense strategies.
KeywordsVoice assistant Threat modeling STRIDE DREAD
This work was supported in part by the ITRC (IITP-2018-2015-0-00403) and the NRF (No. 2017K1A3A1A17092614). The authors would like to thank all the anonymous reviewers for their valuable feedback.
- 1.Anand, P., Ryoo, J., Kim, H., Kim, E.: Threat assessment in the cloud environment: a quantitative approach for security pattern selection. In: Proceedings of the 10th ACM International Conference on Ubiquitous Information Management and Communication (2016)Google Scholar
- 2.Burns, S.F.: Threat modeling: a process to ensure application security. GIAC Security Essentials Certification (GSEC) Practical Assignment (2005)Google Scholar
- 4.Carlini, N., et al.: Hidden voice commands. In: Proceedings of the 25th USENIX Security Symposium (2016)Google Scholar
- 5.Garcia-Salicetti, S., et al.: BIOMET: a multimodal person authentication database including face, voice, fingerprint, hand and signature modalities. In: Proceedings of the 4th International Conference on Audio-and Video-based Biometric Person Authentication (2003)Google Scholar
- 6.Meier, J., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., Murukan, A.: Improving Web Application Security: Threats and Countermeasures. Microsoft Corporation, Redmond (2003)Google Scholar
- 7.Park, K., Kim, H.: Encryption is not enough: inferring user activities on KakaoTalk with traffic analysis. In: Proceedings of the 16th International Workshop on Information Security Applications (2015)Google Scholar
- 9.Sounthiraraj, D., Sahs, J., Greenwood, G., Lin, Z., Khan, L.: SMV-HUNTER: large scale, automated detection of SSL/TLS man-in-the-middle vulnerabilities in android apps. In: Proceedings of the 21st Annual Network and Distributed System Security Symposium (2014)Google Scholar
- 10.Swiderski, F., Snyder, W.: Threat Modeling (Microsoft Professional), vol. 7. Microsoft Press (2004)Google Scholar
- 11.Zhang, G., Yan, C., Ji, X., Zhang, T., Zhang, T., Xu, W.: DolphinAttack: inaudible voice commands. In: Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security (2017)Google Scholar
- 12.Zhang, L., Tan, S., Yang, J., Chen, Y.: VoiceLive: a phoneme localization based liveness detection for voice authentication on smartphones. In: Proceedings of the 23rd ACM SIGSAC Conference on Computer and Communications Security (2016)Google Scholar
- 13.Zhu, H.H., He, Q.H., Tang, H., Cao, W.H.: Voiceprint-biometric template design and authentication based on cloud computing security. In: Proceedings of 4th IEEE International Conference on Cloud and Service Computing (2011)Google Scholar