AI bots can now solve those pesky traffic light Captchas with 100% accuracy

ML model can emulate human mouse movements and fool captchas with fake browser history

Serving tech enthusiasts for over 25 years.
TechSpot means tech analysis and advice you can trust.

The big picture: Captcha tests, which require users to click on grids of images to verify they are human, are among the most annoying things on the internet. Nevertheless, most users accept that they are necessary to prevent bots from clogging traffic, enabling fraud, or scraping data. However, as bots become increasingly advanced, the effectiveness of Captcha tests has diminished, with custom machine-learning software now able to bypass Google's implementation entirely.

Researchers from ETH Zurich have devised a machine learning program that can solve Google reCAPTCHA v2 image recognition challenges with perfect accuracy. Although these often-maligned tests are becoming obsolete, they still play an important role in internet security.

Captcha defenses have long been engaged in an arms race against bots designed to circumvent them. A study from last year found that bots could pass almost all CAPTCHA variants more quickly and accurately than humans, thus defeating the purpose of a security measure intended to allow humans to pass while stopping bots.

The method from the Zurich study builds upon prior machine-learning models and significantly boosts their success rate. Open-source efforts and previous studies saw varying results with You Only Look Once (YOLO) models, but the latest experiment achieved 100 percent accuracy. Initially, these models could easily identify images of objects like traffic lights or cars but struggled with security measures that check for other signs of human activity.

Many Captcha tests also attempt to detect human-like mouse movements and read cookies to differentiate humans from bots. Some, like Cloudflare, consist of a simple page that checks for these signs while requiring minimal human input. Google's first line of defense is similar, but it can fall back on reCAPTCHA v2 image recognition tests in certain situations, making it potentially vulnerable to bots.

// Related Stories

• Max taps Google's AI for enhanced closed captions
• Consultant behind deepfake Biden robocalls hit with $6 million fine, faces criminal charges

Achieving perfect accuracy with a YOLO model required modifying YOLOv8 with additional software to emulate mouse movements and simulate browser history. Furthermore, the researchers employed a VPN that dynamically changes IP addresses so the challenges wouldn't recognize multiple login attempts as originating from the same address.

The experiment demonstrates that the emergence of machine learning and generative AI might put Captcha technology in a critical position, as combinations of widely available software can now overcome these tests. Moreover, YOLOv8 can run locally on relatively modest hardware, increasing the potential for automated attacks on a massive scale using numerous inexpensive devices. Tech giants continue to search for alternative methods to protect internet traffic from bots.