Threat Modeling and Analysis of Voice Assistant Applications

  • Geumhwan Cho
  • Jusop Choi
  • Hyoungshick KimEmail author
  • Sangwon Hyun
  • Jungwoo Ryoo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11402)


Voice assistant is an application that helps users to interact with their devices using voice commands in a more intuitive and natural manner. Recently, many voice assistant applications have been popularly deployed on smartphones and voice-controlled smart speakers. However, the threat and security of those applications have been examined only in very few studies. In this paper, we identify potential threats to voice assistant applications and assess the risk of those threats using the STRIDE and DREAD models. Our threat modeling demonstrates that generic voice assistants can potentially have 16 security threats. To mitigate the identified threats, we also discuss several defense strategies.


Voice assistant Threat modeling STRIDE DREAD 



This work was supported in part by the ITRC (IITP-2018-2015-0-00403) and the NRF (No. 2017K1A3A1A17092614). The authors would like to thank all the anonymous reviewers for their valuable feedback.


  1. 1.
    Anand, P., Ryoo, J., Kim, H., Kim, E.: Threat assessment in the cloud environment: a quantitative approach for security pattern selection. In: Proceedings of the 10th ACM International Conference on Ubiquitous Information Management and Communication (2016)Google Scholar
  2. 2.
    Burns, S.F.: Threat modeling: a process to ensure application security. GIAC Security Essentials Certification (GSEC) Practical Assignment (2005)Google Scholar
  3. 3.
    Callegati, F., Cerroni, W., Ramilli, M.: Man-in-the-middle attack to the HTTPS protocol. IEEE Secur. Priv. 7, 78–81 (2009)CrossRefGoogle Scholar
  4. 4.
    Carlini, N., et al.: Hidden voice commands. In: Proceedings of the 25th USENIX Security Symposium (2016)Google Scholar
  5. 5.
    Garcia-Salicetti, S., et al.: BIOMET: a multimodal person authentication database including face, voice, fingerprint, hand and signature modalities. In: Proceedings of the 4th International Conference on Audio-and Video-based Biometric Person Authentication (2003)Google Scholar
  6. 6.
    Meier, J., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., Murukan, A.: Improving Web Application Security: Threats and Countermeasures. Microsoft Corporation, Redmond (2003)Google Scholar
  7. 7.
    Park, K., Kim, H.: Encryption is not enough: inferring user activities on KakaoTalk with traffic analysis. In: Proceedings of the 16th International Workshop on Information Security Applications (2015)Google Scholar
  8. 8.
    Shih, T.K., Tang, N.C., Tsai, J.C., Hwang, J.N.: Video motion interpolation for special effect applications. IEEE Trans. Syst. Man Cybern. Part C (Appl. Rev.) 41, 720–732 (2011)CrossRefGoogle Scholar
  9. 9.
    Sounthiraraj, D., Sahs, J., Greenwood, G., Lin, Z., Khan, L.: SMV-HUNTER: large scale, automated detection of SSL/TLS man-in-the-middle vulnerabilities in android apps. In: Proceedings of the 21st Annual Network and Distributed System Security Symposium (2014)Google Scholar
  10. 10.
    Swiderski, F., Snyder, W.: Threat Modeling (Microsoft Professional), vol. 7. Microsoft Press (2004)Google Scholar
  11. 11.
    Zhang, G., Yan, C., Ji, X., Zhang, T., Zhang, T., Xu, W.: DolphinAttack: inaudible voice commands. In: Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security (2017)Google Scholar
  12. 12.
    Zhang, L., Tan, S., Yang, J., Chen, Y.: VoiceLive: a phoneme localization based liveness detection for voice authentication on smartphones. In: Proceedings of the 23rd ACM SIGSAC Conference on Computer and Communications Security (2016)Google Scholar
  13. 13.
    Zhu, H.H., He, Q.H., Tang, H., Cao, W.H.: Voiceprint-biometric template design and authentication based on cloud computing security. In: Proceedings of 4th IEEE International Conference on Cloud and Service Computing (2011)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Geumhwan Cho
    • 1
  • Jusop Choi
    • 1
  • Hyoungshick Kim
    • 1
    Email author
  • Sangwon Hyun
    • 2
  • Jungwoo Ryoo
    • 3
  1. 1.Sungkyunkwan UniversitySeoulSouth Korea
  2. 2.Chosun UniversityGwangjuSouth Korea
  3. 3.Pennsylvania State UniversityAltoonaUSA

Personalised recommendations