Side-channel attack on the HumanAuth CAPTCHA

We propose a new scheme of attack on the HumanAuth CAPTCHA which represents a significant shortcut to the intended attacking path, as it is not based in any advance in the state of the art on the field of image recognition. After analyzing the HumanAuth image database with a new approach based on statistical analysis and machine learning, we conclude that it cannot fulfill the security objectives intended by its authors. Then, we analyze which of the studied parameters for the image files seem to disclose the most valuable information for helping in correct classification, arriving at a surprising discovery. We also analyze if the image watermarking algorithm presented by the HumanAuth authors is able to counter the effect of this new attack. Our attack represents a completely new approach to breaking image labeling CAPTCHAs, and can be applied to many of the currently proposed schemes. Lastly, we investigate some measures that could be used to increase the security of image labeling CAPTCHAs as HumanAuth, but conclude no easy solutions are at hand.

[1]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[2]  Laura A. Dabbish,et al.  Labeling images with a computer game , 2004, AAAI Spring Symposium: Knowledge Collection from Volunteer Contributors.

[3]  J.C. Hernandez,et al.  Compulsive voting , 2002, Proceedings. 36th Annual 2002 International Carnahan Conference on Security Technology.

[4]  Arturo Ribagorda,et al.  Pitfalls in CAPTCHA design and implementation: The Math CAPTCHA, a case study , 2010, Comput. Secur..

[5]  Moni Naor,et al.  VERI CATION OF A HUMAN IN THE LOOP OR IDENTI CATION VIA THE TURING TEST , 1996 .

[6]  Jon Howell,et al.  Asirra: a CAPTCHA that exploits interest-aligned manual image categorization , 2007, CCS '07.

[7]  Arturo Ribagorda,et al.  Remotely Telling Humans and Computers Apart: An Unsolved Problem , 2009, iNetSeC.

[8]  Werner Winiwarter,et al.  A Machine Learning Workbench in a DOOD Framework , 1997, DEXA.

[9]  Arturo Ribagorda,et al.  Side-channel attack on labeling CAPTCHAs , 2009, ArXiv.

[10]  J. Doug Tygar,et al.  Image Recognition CAPTCHAs , 2004, ISC.

[11]  Jitendra Malik,et al.  Recognizing objects in adversarial clutter: breaking a visual CAPTCHA , 2003, 2003 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, 2003. Proceedings..

[12]  Philippe Golle,et al.  Preventing bots from playing online games , 2005, CIE.

[13]  Philippe Golle,et al.  Machine learning attacks against the Asirra CAPTCHA , 2008, CCS.