H-Online: Hackers developed a script which was able to crack Google’s reCAPTCHA system with a success rate of better than 99 per cent. They presented the results of their research at the LayerOne security conference in Los Angeles last weekend; however, their demonstration was somewhat frustrated as, just an hour before the presentation, Google made improvements to its CAPTCHA system.
Of the various CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) systems, Google’s reCAPTCHA is considered to be one of the most reliable for differentiating man from machine. By requiring users to enter visually distorted alphanumeric sequences, web service providers can, for example, ensure that their registration forms are not flooded by spam bots. Rather than trying to analyze these distorted characters, the script, code-named “Stiltwalker”, analyzed the audio version of the CAPTCHAs, which Google provides for individuals who are visually impaired.
Stiltwalker makes use of various techniques, including machine learning, but it also exploits the fact that the computer voice has a very limited vocabulary. While text CAPTCHAs are highly complex, relying on a large pool of words in a variety of fonts, Google’s audio CAPTCHAs use just 58 different English words.
Slightly frustrated, Defcon Group 949 presented their research results just as Google had fixed the problem
To make automated analysis more difficult, Google adds a background murmur which computers usually have a hard time filtering out. The hackers discovered that the background was composed of a limited number of recordings of radio programmes. The changes that Google made to reCAPTCHA shortly before the presentation render Stiltwalker impotent, but the three-man team of hackers did not let that affect the entertainment value of their presentation.