Cortana flaw enables hackers to load malicious websites from the lock screen

Two independent Israeli researchers recently discovered that anyone with access to a Windows 10 PC could use Cortana and a USB-based network adapter to download and install malware even if the machine remained locked. This was accomplished using voice commands directed to Cortana, which could load up a malicious website in a browser without unlocking Windows. The PC could also be moved to a wireless network controlled by the hacker. 

The two researchers, Tal Be’ery and Amichai Shulman, presented their method in a session called, “The Voice of Esau: Hacking Enterprises Through Voice Interfaces” during the Kaspersky Analyst Security Summit in Cancun, Mexico, last week. Their attack relied on Cortana’s ability to keep the microphone active at all times to receive voice commands, especially PCs that aren’t restricted to a single user’s voice. The attack also required physical access to the target PC. 

In their scenario, a hacker could sit down in front of a locked Windows 10 PC and insert a network adapter into one of the USB slots. After that, the hacker could verbally tell Cortana to open the web browser and head to any specific HTTP-based address that doesn’t rely on a secure connection (HTTPS means the connection is encrypted). The inserted adapter receives the outgoing command but directs the web browser to a malicious website instead. 

The malicious destination is designed to download malware to the machine even though it’s still locked. After that, the PC is at the mercy of the hacker. As previously stated, a hacker with physical access to the Windows computer can switch to a wireless, malicious network through the USB adapter: just click on the destination using a mouse even though the PC remains locked. 

Windows 10 provides several settings regarding Cortana. For starters, device owners can toggle on or off the ability for the virtual assistant to respond to the “Hey Cortana” voice command. There is also a checkbox to prevent the device from sleeping when it’s plugged in so Cortana can respond to commands. Most importantly, there are two main settings for voice command acceptance: Let Cortana respond to anyone or lock Cortana to one specific voice. 

That is not all. There is a specific setting for the lock screen, enabling users to enable or disable voice commands while the PC remains locked. Windows 10 also provides a keyboard shortcut you can toggle to disable or enable Cortana commands after pressing the Windows logo key and the “C” key simultaneously.  

“We still have this bad habit of introducing new interfaces into machines without fully analyzing the security implications of it,” Be’ery said. “Every new machine interface that we introduce creates new types of vehicles to carry an attack vector into your computer.” 

Ultimately, Microsoft resolved the issue discovered by Be’ery and Shulman. Browser-based commands made to Cortana on the lock screen now go directly to Bing, the company’s search engine. But because Cortana responds to other commands, the duo is currently investigating how these commands can be used for malicious purposes as well. 


Hacker infects 100K routers in latest botnet attack aimed at sending email spam

An attacker is trying to infect your router with malware in order to send spam emails. If your router uses a Broadcom UPnP SDK, it could become vulnerable to this attack. So far, 100,000 routers worldwide have been infected.

Stop your PC's vow of silence with these tips on how to fix audio problems

Sound problems got you down? Don't worry, with a few tweaks and tricks we'll get your sound card functioning as it should, and you listening to your favorite tunes and in-game audio in no time.

Want to set up your own virtual private network? Here's how

Take a look at our walkthrough for creating a virtual private network and why it is beneficial for more than just increased privacy and security. We go step by step, detailing how to set up a VPN in both MacOS and in Windows 10.

Sending SMS messages from your PC is easier than you might think

Texting is a fact of life, but what to do when you're in the middle of something on your laptop or just don't have your phone handy? Here's how to send a text message from a computer, whether you prefer to use an email client or Windows 10.

The plug-and-play PC Classic joins the retro console bandwagon

Gaming company Unit-e is creating the PC Classic, a plug-and-play retro console that will come bundled with around 30 of the best DOS games. The system will support gamepads and keyboard setups.

Is your PC slow? Here's how to restore Windows 10 to factory settings

Computers rarely work as well after they've accumulated files and misconfigured settings. Thankfully, with this guide, you'll be able to restore your PC to its original state by learning how to factory reset Windows.

Mozilla’s built-in price-tracking extension makes it easy to shop with Firefox

Mozilla has heard those worries about Black Friday shopping, and is now introducing a new set of experimental extensions which aim to make it easier to find the best deals online.

Best Buy’s pre-Black Friday deal takes $330 off the 2017 Surface Pro bundle

If you don't need the latest Surface Pro, Best Buy has a heavily discounted rendition of the 2017 model available in its pre-Black Friday sale. For just $1,000, you can get the tablet with a Core i5 CPU.

If you've lost a software key, these handy tools can find it for you

Missing product keys getting you down? We've chosen some of the best software license and product key finders in existence, so you can locate and document your precious keys on your Windows or MacOS machine.

Buying a laptop on Black Friday? Don't make one of these rookie mistakes

Shopping for a laptop on Black Friday can win you some excellent deals, but you should also avoid making common mistakes. Check out what to avoid when buying a laptop for Black Friday and what danger signs to be wary of.

The Mac mini's price jump has crept into iMac territory. How do they compare?

Apple announced a long-awaited update to the Mac mini. Thanks to the updated specs and increase in price, it's begun to creep up to the base model iMac. In this guide, we now put up the specs on the newest refreshed Mac mini against the…

Our favorite Windows apps will help you get the most out of your new PC

Not sure what apps you should be downloading for your newfangled Windows device? Here are the best Windows apps, whether you need something to speed up your machine or access your Netflix queue. Check out our categories and favorite picks.

Ray tracing not an option until it comes to all graphics cards, says AMD

Although Nvidia already supports the ray tracing feature on its high-end new GeForce Turning series of chips, AMD seemingly hinted it doesn't feel like ray tracing is ready until it comes to all level of graphics cards. 

Turn your desk into a command center with the best ultrawide monitors

Top of the line ultrawide monitors have the deepest curves, the sharpest colors, and the biggest screens on the market today. You’re going to want one, sooner or later. So why not sooner? These are the best ultrawide monitors you can buy…