Skip to main content
  1. Home
  2. Computing
  3. News

Cortana flaw enables hackers to load malicious websites from the lock screen

Kevin Parrish
By

Two independent Israeli researchers recently discovered that anyone with access to a Windows 10 PC could use Cortana and a USB-based network adapter to download and install malware even if the machine remained locked. This was accomplished using voice commands directed to Cortana, which could load up a malicious website in a browser without unlocking Windows. The PC could also be moved to a wireless network controlled by the hacker. 

The two researchers, Tal Be’ery and Amichai Shulman, presented their method in a session called, “The Voice of Esau: Hacking Enterprises Through Voice Interfaces” during the Kaspersky Analyst Security Summit in Cancun, Mexico, last week. Their attack relied on Cortana’s ability to keep the microphone active at all times to receive voice commands, especially PCs that aren’t restricted to a single user’s voice. The attack also required physical access to the target PC. 

Recommended Videos

In their scenario, a hacker could sit down in front of a locked Windows 10 PC and insert a network adapter into one of the USB slots. After that, the hacker could verbally tell Cortana to open the web browser and head to any specific HTTP-based address that doesn’t rely on a secure connection (HTTPS means the connection is encrypted). The inserted adapter receives the outgoing command but directs the web browser to a malicious website instead. 

Related

The malicious destination is designed to download malware to the machine even though it’s still locked. After that, the PC is at the mercy of the hacker. As previously stated, a hacker with physical access to the Windows computer can switch to a wireless, malicious network through the USB adapter: just click on the destination using a mouse even though the PC remains locked. 

Windows 10 provides several settings regarding Cortana. For starters, device owners can toggle on or off the ability for the virtual assistant to respond to the “Hey Cortana” voice command. There is also a checkbox to prevent the device from sleeping when it’s plugged in so Cortana can respond to commands. Most importantly, there are two main settings for voice command acceptance: Let Cortana respond to anyone or lock Cortana to one specific voice. 

That is not all. There is a specific setting for the lock screen, enabling users to enable or disable voice commands while the PC remains locked. Windows 10 also provides a keyboard shortcut you can toggle to disable or enable Cortana commands after pressing the Windows logo key and the “C” key simultaneously.  

“We still have this bad habit of introducing new interfaces into machines without fully analyzing the security implications of it,” Be’ery said. “Every new machine interface that we introduce creates new types of vehicles to carry an attack vector into your computer.” 

Ultimately, Microsoft resolved the issue discovered by Be’ery and Shulman. Browser-based commands made to Cortana on the lock screen now go directly to Bing, the company’s search engine. But because Cortana responds to other commands, the duo is currently investigating how these commands can be used for malicious purposes as well. 

Editors' Recommendations

Topics
Kevin Parrish
Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Samsung’s crazy 57-inch curved 4K monitor is $700 off today
The Samsung Odyssey Neo G9 57-inch mini-LED gaming monitor placed on a desk.

Your investment in gaming PC deals will  go to waste if you don't upgrade your screen, and if you're willing to splurge for the best possible gaming experience, you'll want to go for the 57-inch Samsung Odyssey Neo G9 curved gaming monitor. It's pretty expensive at its original price of $2,500, so you're going to want to take advantage of any discounts that are available. Fortunately, Samsung has slashed its price by $700 so it's down to $1,800 -- it's still not cheap, but once you're playing your favorite games on this monitor, you'll quickly understand why it's worth every single penny.

Why you should buy the 57-inch Samsung Odyssey Neo G9 curved gaming monitor
The Samsung Odyssey Neo G9 curved gaming monitor features a 57-inch screen with dual 4K Ultra HD resolution and a 1000R curvature, so it will fully immerse you in the worlds of the video games that you play with its lifelike details and vivid colors. It also supports HDR 1000 for better visual accuracy, and it uses Quantum Matrix technology for controlled brightness and improved contrast.

Read more
This Lenovo ThinkPad laptop with 32GB of RAM is 35% off right now
lenovo thinkpad t16 laptop deal april 2024 promotional render

Lenovo often has some of the best laptop deals around with the current price on the Lenovo ThinkPad T16 Gen 2 one of the more appealing right now. Usually priced at $2,069, it’s down to $1,345 for a limited time only. Granted, the original price is one of Lenovo’s estimated value system prices so it may be overly optimistic but whatever the true discount, $1,345 is a great price for a system packed with great hardware. If you want to learn more about it, scroll down while we take you through everything.

Why you should buy the Lenovo ThinkPad T16
Lenovo is one of the best laptop brands for business laptops and the Lenovo ThinkPad T16 Gen 2 is a perfect example of that for work purposes. It has an AMD Ryzen 7 Pro 7840U processor along with a huge 32GB of memory. There’s also 1TB of SSD storage so you won’t run out of room for all your most valuable files.

Read more
This mini PC, and I do mean mini, has a Ryzen 7000 tucked inside for $200 off
Geekom A7 Mini PC with AMD Ryzen 7 for gaming showcased.

Computing, or small computing, has come a long way in recent years. Thanks to renewed interest in more manageable desktop sizes, even for PC gaming, we've seen a boon in the small PC world, namely with small form factor PCs (SFFPCs). For good reason, people are more interested in systems that take up less space, are more efficient, especially with energy usage, and can be placed in new areas, like their living rooms. There is now a whole category of small and mini PCs, and although they are bite-sized, they still pack a punch. Take Geekom's A7 Mini PC, which has an AMD Ryzen 7000 series tucked inside. That's no slouch on its own, but it also has 64GB of DDR5 RAM, WiFi 6E, and AMD Radeon graphics that supports up to four displays. All of that is packed inside an ultra-slim, space-saving case about the size of a book. Incredible. The top-tier model is currently $200 off, down to $649 instead of $849, when you use code digitaltrendsa7 at checkout. That code is valid in the US and the UK.

 
Why you should buy the Geekom A7 Mini PC

Read more