Technology

Human CAPTCHA solvers and what they reveal about Control Design

Updated : November 21, 2020 04:47 PM IST

Information security often takes the form of an arms race, as attackers develop novel ways to use or abuse services on the web to their benefit, and defenders scramble to adapt to and block these new techniques.

Few technologies better exemplify this arms race than the web element known as CAPTCHA. This component is designed to identify and block bots that attackers use to automate and scale up attacks such as credential abuse, web scraping, or, in the case of tools like sneaker bots, to quickly buy up limited supplies of commodities like fashionable sneakers.

CAPTCHAs weed out bots by presenting puzzles within the browser’s response that ostensibly only humans can solve. In the beginning, these puzzles were mostly visual and usually required users to parse distorted text and type it in.

Over time, CAPTCHAs have come to include different types of puzzles, including identifying specific objects within a complex image, transcribing short audio files, or solving logical puzzles, such as turning an image right-side-up.

The Human Solver Phenomena

For more than a decade; however, attackers could circumvent CAPTCHAs at scale and speed, not through advances in computer vision or artificial intelligence, but by identifying and farming out the puzzles to networks of human workers (known in this industry as solvers) in developing economies, and then returning the correct responses so that bots can continue on their assigned task.

These services cost attackers (that is, the customers of the solver service) roughly USD 1-3 per 1,000 correct solutions, depending on the service and type of puzzle. The solver networks; however, only pay workers nearly USD 0.40 for 1,000 accurate solutions. Depending on the solver’s speed, that puts their pay anywhere from USD 2 to 5 per day.

Case in point, in India, a single network comprising of 7 human CAPTCHA solvers can solve 50,000 captchas daily around the clock – for approximately USD 2 for 1,000 entries.

To be clear, as of 2020, the risk that human CAPTCHA solvers present is now more or less manageable (if not solved) for multiple reasons.

For one, it is an old practice with which security practitioners are widely familiar, and several security vendors have devised ways to detect human CAPTCHA solver networks. Some security vendors have developed bot mitigation or anti-fraud solutions to replace CAPTCHAs. Meanwhile, advances in artificial intelligence-based CAPTCHA solvers threaten to make the human solver networks obsolete.

So why dive into these human solver networks now? Despite the low risk, this practice deserves a thorough examination because of the simple nature of the hack.

Instead of competing with defenders to develop sophisticated artificial intelligence, CAPTCHA solvers use low-cost, globally distributed human labor as a front-end for a botnet. This problem-solving illuminates a fundamental aspect of the battle between attackers and defenders in information security. Just as the CAPTCHA element exemplifies the arms race, this method of circumventing security controls reveals that security practitioners often misrecognize the nature of the attacker’s advantage.

Unpacking that misrecognition can provide clues to general guidelines for designing future controls that could transcend this arms race and stand the test of time.

Reassessing the Information Security Arms Race

The thing that makes the human CAPTCHA solvers so instructive about the security arms race does not lie in the technical details. Rather, it is the most fundamental thing about them. Instead of exploiting coding errors or misconfigurations that lead to vulnerabilities, human CAPTCHA solvers exploit assumptions about the value of human labor time. That is, CAPTCHAs are designed around system owners’ assumptions that it is not possible to use human labor to scale up the kinds of attacks that the CAPTCHA solver customers undertake.

In one way, that assumption is correct. The skilled labor that actual attackers represent is too expensive to multiply by hundreds or thousands within a short time frame. However, the comparatively unskilled labor required to solve a CAPTCHA is not too expensive, given the necessary infrastructure that allows this fragmented, distributed labor supply to meet its demand.

The result is that, in the 21st century, attackers pay humans poverty-line wages to act as a front end for bots, which in turn act like humans, to use an information system in a way for which it was not designed. This illuminates the core issue: for the attackers, it was never really about the bots—it was about scalability.

The bots were a means to an end; when defenders made life hard for bots using CAPTCHAs, attackers found humans to the front for them. Faced with a battle that, on the surface, seemed to be about artificial intelligence or computer vision, attackers instead found a way to reframe it in terms of the cost of human labor.

What this means in practical terms

Security practitioners are often preoccupied with tactics, techniques, and procedures (TTPs) because they are the details that allow people in a security operations center (SOC) or in forensic analysis to diagnose or mitigate an attack.

However, the CAPTCHA solvers demonstrate that when it comes to designing proactive controls or security programs (instead of mitigating ongoing attacks), focusing on TTPs is only going to get us so far. This is because TTPs often represent a set of disposable means to the attacker.

On some level, we can boil the entire history of the security arms race down to the attacker community declining to fight on the terms that the security community has laid out and sought another way around, forcing security practitioners to adapt in turn.

By contrast, controls that can invalidate entire strategies like scalability, persistence, or concealment would offer greater utility across time, space, and diverse systems. In other words, TTPs are critical in many applications of information security, but they are neither the final word nor the only game in town.

In practical terms, controls that operate at this strategic level will necessarily raise questions of application architecture and even of business models. The idea of incorporating information security more deeply in the business is neither new nor controversial.

Still, the implication here is that it represents an opportunity to reduce security costs by making efforts across the board more proactive. I do not mean to imply that the time and expertise dedicated to mitigating bots have been ill-spent, but I think that focusing on why attackers are doing something can be as productive as focusing on how they are doing it.

--Sander Vinberg is a Threat Research Evangelist for F5 Labs. The views expressed are personal.

Human CAPTCHA solvers and what they reveal about Control Design

You May Also Like

Carlyle Group in advanced stages to acquire Granules India for around $1 billion, say sources

Govt caps surge pricing by cab aggregators at 1.5 times of base fare, issues other guidelines

RBI has set precedence in LVB bond write-off, will hurt other banks: Report

Trending on CNBC-TV18

recommended for you