Adversarial examples: attack can imperceptibly alter any sound (or silence), embedding speech that only voice-assistants will hear

Originally published at:


Clever engineering, but what possible application is there?

Creamed corn for everyone?


So, for example, a band could release a song that had embedded in it a hidden speech command to buy their whole album.


For example, my new single, I Cannot Be Played on Amazon Echo Serial Number 41A83002CF1219B5.


But why bother to hide it? An awful lot of music is put on as background without much attention being paid to it

1 Like

Because messages that activate your voice assistant to do something without your consent would effectively be malware? If you do it out in the open, maybe a certain percentage of users will never even notice; if you make any kind of effort to cover your tracks, that percentage will only go up.

1 Like

I hope you’re not under the impression I’m unaware of its dastardliness. I also hope you recognise that much dastardliness is quite blatant and that it seems that nobody cares very much.

Gah, another one.

This does not affect the Amazon Echo, but there’s one in the big photo attached to the article, and actually reading the article, the danger is FAR less than the headline implies.

It’s an INTERESTING article! I would have read it without all the “DANGER!” hype! I just complained about this sort of thing on a Xeni headline!

I really hope this has become more prevalent in the last couple of years because Boing Boing really needs the clicks and not because Xeni or Cory think scaremongering is a good thing.

Note: I am not yet disappointed in Boing Boing.


I don’t know; maybe I’ve acquired the immunity Cory was talking about the other day, or I’m just inured after years of exposure, but I don’t see this headline as terribly click-baity. “Attack” is the most alarmist word in there, and that’s fairly tame by headline standards, not a word that baits my clicks unless it’s attached to something more alarmist, like “Trump” and “North Korea”, or “pacemaker”, or something. “Attacks” can cover everything from global thermonuclear war down to local knitting circle politics in everyday parlance.

1 Like

I’d have to find a use for voice assistants, and then one that did well at transcribing me, before I could say.

I’m sticking to pencils. Not even the no-goodest no-goodnik can hack a pencil.


Who would do…


Huh… maybe I was super grumpy yesterday, but looking now I SWEAR the headline was worse yesterday when I posted.

I recall them working “Google” into the headline in addition to the Amazon Echo in the photo, neither of which are affected by this at all.

ETA: Yeah, I found where I was discussing it with a friend and I talk about “The device alluded to in the headline.” Pretty sure it’s different now.

Huh. Are we going to have to start taking screendumps of articles so we can tell if we’re talking about the same thing?

Would it be appropriate to replace the security-hypothetical staples of Alice and Bob with Simon and Garfunkle when discussing maliciously crafted sounds of silence?

1 Like

It’s certainly not at the top of the real-world-threats list; but within the context of security using ‘attack’ as synonymous with ‘maliciously crafted input makes the system fall over’ is pretty well established. The actually scary attacks are the ones where the maliciously crafted input in trivial to introduce and/or hard to block; or the falling-over is persistent and invasive, while the more theoretical ones are deemed largely impractical in terms of actually getting the maliciously crafted input to the target; but not demoted below ‘attack’ unless very strongly demonstrated to be beyond hope.

The comparison between the number of times that someone has gone for the “Bah, totally impractical!” and found the attack deployed and the number of times that someone has gone for “zOMG Sky Falling” and found the attack impractical just isn’t favorable(with the possible exception of attacks that nobody bothers with because even more trivial ones are available; in the way that Flash and Java made attacking browsers somewhat uninteresting for years).

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.