Spoofing countermeasure systems protect Automatic Speaker Verification (ASV) systems from spoofing attacks such as replay, synthesis, and conversion. However, research has shown spoofing countermeasures are vulnerable to adversarial attacks. Previous literature mainly uses adversarial attacks on spoofing countermeasures under a white-box scenario, where attackers could access all the information of the victim networks. Blackbox attacks would be a more serious threat than white-box attacks.

In this paper, our objective is to black-box attack spoofing countermeasures using adversarial examples with high transferability. We used MI-FGSM to improve the transferability of adversarial examples. We propose an iterative ensemble method (IEM) to further improve the transferability. Comparing with previous ensemble-based attacks, our proposed IEM method, combined with MI-FGSM, could effectively generate adversarial examples with higher transferability. In our experiments, we evaluated the attacks on four black-box networks. For each black-box model, we used the other three as a white-box ensemble to generate the adversarial examples. The proposed IEM with MI-FGSM improved attack success rate by 4–30% relative (depending on black-box model) w.r.t. the baseline logit ensemble. Therefore, we conclude that spoofing countermeasure models are also vulnerable to black-box attacks.