Industry News

Should your voice be enough to unlock your Android phone? Google seems to think so

According to media reports, some users of Android phones are beginning to see a new feature rolled-out to their devices.

And it could mean that all you may need to do to unlock your Android phone in future is murmur the words “Ok Google.”

This isn’t the first time Google has tried to give Android users methods to unlock their devices without having to go to all the “effort” of entering a PIN, swipeable pattern or password.

Android 5.0 Lollipop already has “Trusted Face” mode (which is supposed to recognise your face),
“Trusted Devices” (which means your Android will always be unlocked while it’s connected to a trusted Bluetooth device), and “Trusted Places” (which means your phone is always unlocked when you’re at home or office – which rather presumes you don’t have a jealous snooping partner or sneaky business rival).

Trusted Voice is the latest in Google’s line-up of smart locks, using voice recognition to check your identity.

If you enable Trusted Voice, then all you will have to do is issue the “Ok Google” command, and you won’t be pestered for a password or PIN on your device.

But there is an obvious security concern, of course, and even Google appear to be recognising it by displaying a warning whenever the “Trusted Voice” feature is enabled:

Should your voice be enough to unlock your Android phone? Google seems to think so

“Ok Google” Trusted Voice

Trusted voice is less secure than a pattern, PIN, or password. Someone with a similar voice or a recording of your voice could unlock your device.

Woah. No kidding it’s less secure. Frankly that kind of warning would have me running a mile.

Sure, it might feel all very Star Trek to have your Android unlock itself just at your voice command and I can imagine some nerds showing off the kewl feature to their friends, but it’s hardly Fort Knox-style security is it?

The fact of the matter is that our smartphones are these days where we keep our most precious photographs, our confidential work projects, our private communications… do we really want to make things easy for a determined attacker who might already have recorded our voice or learnt how to mimic it convincingly enough?

Furthermore, I can’t imagine many companies feeling comfortable with staff using a privacy-threatening feature like this and they are sure to try to lock down its use and impose their own security regime.

The truth is that “Trusted Voice” is nothing to do with security, and everything to do with convenience.

If it can’t adequately tell the difference between someone doing an impression of you or a recording of your voice (which it seems – from the warning message – that it cannot) then you should never turn on the option in the first place.

Mind you, perhaps the kind of people who would be attracted to the lazy “Trusted Voice” option of unlocking their phone are the very same ones who would never both to have a PIN or password because of the hassle involved in entering it. Maybe, for these people at least, “Trusted Voice” is better than nothing.

What do you think? Do you want to unlock your phone with your voice? Or do the security issues concern you? Leave a comment below and share your thoughts.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

4 Comments

Click here to post a comment

  • Voice authorization was busted in an episode of Star Trek:TNG wherein Lt. Commander Data took over the ship and locked out everyone else by playing back a recording (or a spot-on androidish replication) of Captain Picard’s voice authorization code. So, even Star Trek showed what a stupid idea it is to rely solely on voice authorization.

    Perhaps Google is just helping natural selection along, figuring that by making such a boneheaded feature available (even though they know it’s stupid), their dimmest-bulb customers stand a better chance of extinction.

  • “The truth is that “Trusted Voice” is nothing to do with security, and everything to do with convenience.”

    Correct yet simultaneously incorrect. Of course I know what you mean, but if we break it down further, there is a relation between convenience and security: the more convenience the less security (which has the unfortunate side effect of having to find a right balance). Therefore, yes, it has to do with convenience but it also has an effect on security – but an adverse effect. I’m not surprised it is Google though (there certainly are others that come to mind here also). This is just one of many more of their brilliantly brain dead ideas. To give them credit, at least they give a warning, and at least they’re not the only one who has used easy-to-exploit particulars of biometrics (of course, that there are others is concerning as well). If they would do this for more things and more importantly, if they would stop meddling with certain things that have dangerous implications, that would be much better, even though that is only a dream.

  • This reminds me of the 1992 film sneakers and the “My voice is my passport. Verify me”, Social engineering hack.
    https://www.youtube.com/watch?v=n5GzlOpf3KA

  • It appears that Google is unaware of what a backup password registered in case of false rejection means for security.

    Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords only. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.