The Dark Side of Microsoft’s New Voice Cloning Feature: Innovation Enabling Risk

Microsoft will release a new Teams feature that allows users to clone their voice so the system can translate their conversation into different languages in real time. However, this amazing technology has a dark side as malicious attackers may misuse the capability as part of voice cloning scams for social engineering attacks.

The new interpreter agent will simulate the user’s speaking voice as it translates to different native languages for meeting participants. As the conversation unfolds, attendees will hear the translated dialogue in the simulated voice of the speaker, allowing for two-way conversations to occur — “for a more personal and engaging experience”, according to Microsoft.

While I applaud Microsoft and the other companies who are working on similar technology and collectively driving a new era for cross-language communication, such powerful innovation comes with serious risks. Integrating voice cloning technology into mainstream products will significantly enable the already problematic and increasing deepfake crisis.

A Cybersecurity Nightmare in the Making

Cybercriminals understand how powerful deepfake technology, including the imitation of peoples’ voices, can be in committing fraud, obtaining or resetting credentials, or harassing targets. Therefore, technology providers must protect such tools at a higher level to reduce the risks of abuse.

Unfortunately, Microsoft is providing very few details indicating security forethought in its announcements. Like the recent Microsoft Recall feature debacle, this stands to benefit the attackers more than the users. Microsoft should have recognized the inherent voice-cloning risks and proactively “built-in” appropriate security controls to lead with as part of the marketing announcement. Wrapping such dual-use capabilities with strong security, notification validation, and authentication controls to limit its misuse is a good start.

The Need for Leadership and Foresight

At a strategic level, this may emerge as yet another security misstep by Microsoft, which has been recently plagued by many security blunders, including expired security certificates, system compromises, service exploitations, and a slew of product features that introduced unnecessary risks to users.

Microsoft’s CEO has publicly committed to correcting the systemic issues but more such issues have arisen after their declaration.

Although I have no doubt an army of Microsoft Security Engineers and Architects are diligently working to make sure there are no code vulnerabilities, they are not applying requisite security expertise to understand how such features will be wielded to the detriment of their customers and embedding appropriate measures to protect from misuse. They continue to be preoccupied with creating innovative features, without taking the time to understand the risk ramifications to their customers and proactively implementing security fundamentals that go beyond just code reviews.

As the backlash from the cybersecurity community once again grows for a new Microsoft feature, I expect security will be ”bolted-on” to help abate the concerns. Such post-actions are less than optimal and showcase the continuing shortsightedness in Microsoft’s cybersecurity strategic leadership.

I have been critical of the systemic lack of Microsoft’s security leadership in the past, even going as far as writing an open letter to CEO Satya Nadella and predicting continued blunders that will befuddle their leadership. If the strategic leadership concerns are not addressed, issues will continue to surprise Microsoft’s top executives and board members in seemingly unrelated ways across projects, products, and services in the future.

As Microsoft continues to push the boundaries of technological innovation, it must pair these advancements with strategic foresight and a commitment to cybersecurity.