Cortana flaw enables hackers to load malicious websites from the lock screen

Two independent Israeli researchers recently discovered that anyone with access to a Windows 10 PC could use Cortana and a USB-based network adapter to download and install malware even if the machine remained locked. This was accomplished using voice commands directed to Cortana, which could load up a malicious website in a browser without unlocking Windows. The PC could also be moved to a wireless network controlled by the hacker. 

The two researchers, Tal Be’ery and Amichai Shulman, presented their method in a session called, “The Voice of Esau: Hacking Enterprises Through Voice Interfaces” during the Kaspersky Analyst Security Summit in Cancun, Mexico, last week. Their attack relied on Cortana’s ability to keep the microphone active at all times to receive voice commands, especially PCs that aren’t restricted to a single user’s voice. The attack also required physical access to the target PC. 

In their scenario, a hacker could sit down in front of a locked Windows 10 PC and insert a network adapter into one of the USB slots. After that, the hacker could verbally tell Cortana to open the web browser and head to any specific HTTP-based address that doesn’t rely on a secure connection (HTTPS means the connection is encrypted). The inserted adapter receives the outgoing command but directs the web browser to a malicious website instead. 

The malicious destination is designed to download malware to the machine even though it’s still locked. After that, the PC is at the mercy of the hacker. As previously stated, a hacker with physical access to the Windows computer can switch to a wireless, malicious network through the USB adapter: just click on the destination using a mouse even though the PC remains locked. 

Windows 10 provides several settings regarding Cortana. For starters, device owners can toggle on or off the ability for the virtual assistant to respond to the “Hey Cortana” voice command. There is also a checkbox to prevent the device from sleeping when it’s plugged in so Cortana can respond to commands. Most importantly, there are two main settings for voice command acceptance: Let Cortana respond to anyone or lock Cortana to one specific voice. 

That is not all. There is a specific setting for the lock screen, enabling users to enable or disable voice commands while the PC remains locked. Windows 10 also provides a keyboard shortcut you can toggle to disable or enable Cortana commands after pressing the Windows logo key and the “C” key simultaneously.  

“We still have this bad habit of introducing new interfaces into machines without fully analyzing the security implications of it,” Be’ery said. “Every new machine interface that we introduce creates new types of vehicles to carry an attack vector into your computer.” 

Ultimately, Microsoft resolved the issue discovered by Be’ery and Shulman. Browser-based commands made to Cortana on the lock screen now go directly to Bing, the company’s search engine. But because Cortana responds to other commands, the duo is currently investigating how these commands can be used for malicious purposes as well.