Tuesday, April 07, 2009

How they'll break the 3D CAPTCHA

Just a quick note, to point out how the "unbreakable" 3D CAPTCHAs, recently publicised, could probably be broken rather easily. I don't want to turn this into a blog about CAPTCHA, but a friend called me on my off-hand claim, last week, that the 3D CAPTCHAs I mentioned are just as breakable as existing varieties (or more).

There only seem to be a few dozen possible objects, judging by the many repeats when you get a new puzzle. The 2D images of the objects may look very different from some different viewpoints (staring down a toilet bowl as opposed to looking at it from the side), but if you had stored solutions for a few hundred views of each object, every puzzle displayed would be within 10 degrees of a solved reference, and so very similar and identifiable by some standard 2D image processing. Since the object pool is so small, a reasonable amount of manual or semi-automated CAPTCHA solving would provide the necessary reference. There aren't many "big rotations" of each object, and the "small rotations" are just another kind of light distortion to apply to an image (probably easier to handle than today's prevalent CAPTCHAs' wavy distortions, noisy backgrounds, and random squiggles). Enlarging the object database to a useful size may require a lot of work, and there may not be more than a few thousand easily-distinguishable object types, anyway.

Now, the way many text CAPTCHA schemes got over dictionary-based CAPTCHA attacks (which also rely on the list of possible puzzles being rather small) is by displaying not words, but random letter sequences. Generating a random artificial 3D object is likely to make the puzzles unreasonably hard for us humans; in the puzzle shown above, the airplane is recognisable as two views of the same object, only because we know what an airplane is. There are other ways to evade an attack based on the small selection of possible puzzles, and, as always, adding noisy backgrounds and squiggles will slow down the CAPTCHA-breakers, but by that point it's just back to the usual arms-race between CAPTCHA makers and breakers...


  1. Except you can easily put random texture maps on the 3D objects, and textures in the background, making it nearly impossible for image recognitio to make out the object.

  2. Info in your blog help me with my project, whitch based on букмекеры