Adversarial Detection Avoidance Attacks: Evaluating the robustness of perceptual hashing-based client-side scanning. (arXiv:2106.09820v1 [cs.CR])

End-to-end encryption (E2EE) by messaging platforms enable people to securely
and privately communicate with one another. Its widespread adoption however
raised concerns that illegal content might now be shared undetected. Following
the global pushback against key escrow systems, client-side scanning based on
perceptual hashing has been recently proposed by governments and researchers to
detect illegal content in E2EE communications. We here propose the first
framework to evaluate the robustness of perceptual hashing-based client-side
scanning to detection avoidance attacks and show current systems to not be
robust. More specifically, we propose three adversarial attacks — a general
black-box attack and two white-box attacks for discrete cosine-based-based
algorithms — against perceptual hashing algorithms. In a large-scale
evaluation, we show perceptual hashing-based client-side scanning mechanisms to
be highly vulnerable to detection avoidance attacks in a black-box setting,
with more than 99.9% of images successfully attacked while preserving the
content of the image. We furthermore show our attack to generate diverse
perturbations, strongly suggesting that straightforward mitigation strategies
would be ineffective. Finally, we show that the larger thresholds necessary to
make the attack harder would probably require more than one billion images to
be flagged and decrypted daily, raising strong privacy concerns.Taken together,
our results shed serious doubts on the robustness of perceptual hashing-based
client-side scanning mechanisms currently proposed by governments,
organizations, and researchers around the world.