Pixel-Count Attacks

22 COPublished by the ieee COmPuter and reliability sOCieties ■ 1540-7993/09/$26.00 © 2009 ieee ■ July/august 2009 Completely Automated Public Turing Tests to Tell Computers and Humans Apart (CAPTCHAs) are now an almost standard security mechanisms for defending against undesirable and malicious bot programs on the Internet (especially those bots that can sign up for thousands of accounts a minute with free email service providers, send out thousands of spam messages in an instant, or post numerous comments in blogs pointing both readers and search engines to irrelevant sites). CAPTCHAs generate and grade tests that most humans can pass but current computer programs can’t. Such tests—often called CAPTCHA challenges—are based on hard, open artificial intelligence problems. To date, the most commonly used CAPTCHAs are text-based, in which the challenge appears as an image of distorted text that the user must decipher and retype. These schemes typically exploit the difficulty for state-of-the-art computer programs to recognize distorted text. Well-known examples include EZ-Gimpy, Gimpy, and Gimpy-r, all developed at Carnegie Mellon University; Google, Microsoft, and Yahoo have also developed and deployed their own text CAPTCHAs. Many more schemes have been put into practice, but they’re less visible in the literature. The “Related Work in CAPTCHA Design and Security” sidebar highlights additional efforts in the research community. A good CAPTCHA must not only be human friendly but also robust enough to resist computer programs that attackers write to automatically pass CAPTCHA tests. However, designing CAPTCHAs that exhibit both good robustness and usability is much harder than it might seem. The current collective understanding of this topic is very limited, as suggested by the fact that many well-known schemes break. In particular, we recently found that we could break a widely deployed CAPTCHA— carefully designed and tuned by Microsoft—with a success rate of higher than 60 percent, even though its design goal was that automated attacks shouldn’t achieve a success rate of higher than 0.01 percent. We expect that CAPTCHA will go through the same process of evolutionary development as cryptography, digital watermarking, and the like, with an iterative process in which successful attacks lead to the development of more robust systems. In this article, we study the strength of a CAPTCHA presented in a recent paper and deployed on the Internet. We show that although this scheme effectively resisted one of the best optical character recognition (OCR) programs on the market, we could break it with a success rate of higher than 90 percent using a simple but novel attack that takes less than 50 ms on an ordinary desktop computer for decoding each challenge. In a nutshell, we found that simply counting the pixels in a CAPTCHA’s characters can be a very powerful attack.