The voice commands enabled, multi-language Cortana virtual assistant is probably the most talked about feature that comes with Windows 10 desktop and mobile versions. It performs a number of special functions to help users including opening apps, informing about discount coupons and carrying out basic mathematic calculations.
Cortana contained a critical vulnerability
From the outlook, Cortana seems like the perfect AI assistant but according to the findings of Israeli researchers Tal Be’ery and Amichai Shulman, Cortana is far from perfect as it offers hackers an easy gateway to hack Windows 10 PC despite if it is locked.
Cortana has been developed in a way that if enabled it listens and responds to voice commands at all times even when the computer is locked and the software also allows direct browsing to websites. The researcher duo claims that an attacker can hack a computer by issuing voice commands and force it to visit a non-HTTPS website.
According to researchers, the attack requires a USB network adapter which when attached to the victim’s PC, the traffic to the PC is intercepted and redirected to the malicious website that the attacker has loaded with malware. Using a mouse, an attacker can connect the targeted PC to any Wi-Fi network.
However, the attack method relies upon having physical access to the target machine, which serves as the only hindrance to attackers. But, it must be noted that physical access is needed only for compromising the first computer and not to amplify the attack.
“So this attack is not only limited to the physical access scenario but also can be used by attackers to expand their access and jump from one computer to another. very much could be like a Hollywood movie where everyone is asleep and no one is in the office and the computers come to life and are shouting at each other,” Tal Be’ery told Motherboard.
This means, when a computer is infected, it can be forced to communicate with other computers available on the local network and spread the infection using a technique called ARP Poisoning. This method allows an infected PC to trick the machines on the local wireless network to route their incoming traffic via the attacker’s network.
Shulman noted that “even when a machine is locked, you can choose the network to which that machine is attached. It’s interesting if it’s to abuse a locked computer but .. it’s more interesting if it can be done remotely.”
Microsoft was informed about this issue and the company took immediate measures by passing Cortana’s internet requests via Bing but the software still responds to requests when the PC is locked. To ensure that your computer stays protected, you need to disable Cortana on Windows 10 lock screen by accessing Settings> Cortana and disable the option “Use Cortana even when my device is locked.”
Tal Be’ery stated that the issue is caused by the developers’ penchant to introduce new interfaces into computers without properly assessing their security implications. It is, therefore, important to discover loopholes associated with voice commands on new command interfaces such as those that rely upon hand gestures.
Shulman added that: “we start with proximity because it gives us the initial foothold in network. We can attach the computer to a network we control, and we use voice to force the locked machine into interacting in an insecure manner with our network.”
Until then, to protect computers users can configure it to password-lock after a specific duration when the machine is inactive, which would prevent someone from infecting the computer by gaining physical access. This would also discourage nosy colleagues from taking a sneak peek on your home screen while you are not on your desk and in other situations when you are away from your computer.
The researchers plan to present their findings at the Kaspersky Analyst Security Summit due to be held on Friday in Cancun. A proof-of-concept dubbed as Newspeak or Fake News Cortana has been developed by Be’ery and Shulman. Newspeak can monitor all requests and responses made to Cortana on a network.
Previously, a similar attack called Dolphin Attack was revealed by researchers in which voice assistant apps Siri and Alexa were found vulnerable to attacks including using simple command like “Hey Siri” to forcing the iPhone to open a malicious website or even asking Nexus 7 to call on “1234567890”, or Amazon’s Echo could be asked to “open the backdoor.”