Image

Project Voco: The Excitement and Concern
Meet Project VoCo. It's short for "Photoshopping Voiceovers," one of 11 experimental technologies demoed at Adobe MAX 2016. VoCo is a sound engineer's dream in that it allows a controller to edit or insert words into an audio recording without having to bring the voiceover artist back into studio. All the software needs is about 20 minutes of a person's speech to make the process work. Project VoCo lives up to that expectation in the demo video provided below. https://www.youtube.com/watch?v=I3l4XLZ59iw Clearly, lots of people are excited about the prospect of being able to alter audio recordings. But not everyone is jumping on the bandwagon. Dr. Eddy Borges Rey, a lecturer in media and technology at the University of Stirling, is concerned by the development. He revealed as much to BBC News:"It seems that Adobe's programmers were swept along with the excitement of creating something as innovative as a voice manipulator, and ignored the ethical dilemmas brought up by its potential misuse. Inadvertently, in its quest to create software to manipulate digital media, Adobe has [already] drastically changed the way we engage with evidential material such as photographs. This makes it hard for lawyers, journalists, and other professionals who use digital media as evidence. In the same way that Adobe's Photoshop has faced legal backlash after the continued misuse of the application by advertisers, Voco, if released commercially, will follow its predecessor with similar consequences."That's a good point. If proper safeguards aren't implemented, Project VoCo could undermine the authenticity of audio recordings. Attackers could in that case exploit the technology to fool others into thinking someone said something they did not--all towards a nefarious end like CEO fraud. All they would need to do is conduct a bit of research beforehand. Laura V. explains in Social-Engineer Newsletter how one such attack might proceed:
- An attacker performs OSINT and discovers an organization's CEO will be away on business for a few days or a week.
- The bad actor records a fake message from the CEO using VoCo that asks the head of finance to call them back for instructions regarding an upcoming payment. They leave that message as a voicemail for the head of finance.
- The head of finance receives the message, thereby establishing the attacker's pretext.
- The attacker receives a call from the head of finance. Using VoCo, the former instructs the latter to deliver funds to an account under their control.