Slashdot Mirror
Remote Exploit of Vista Speech Control
An anonymous reader writes "George Ou writes in his blog that he found a remote exploit for the new and shiny Vista Speech Control. Specifically, websites playing soundfiles can trigger arbitrary commands. Ou reports that Microsoft confirmed the bug and suggested as workarounds that either 'A user can turn off their computer speakers and/or microphone'; or, 'If a user does run an audio file that attempts to execute commands on their system, they should close the Windows Media Player, turn off speech recognition, and restart their computer.' Well, who didn't see that coming?"
Microsoft cautioned everyone not to play the song "Hit Me Baby One More Time" by Britney Spears on or near your computer while the mic is on.
Several lawsuits already involve brutal crimes by computers against annoying young teeny bopper women. Although we can't act like we didn't see this coming, tension has been steadily rising.
My work here is dung.
Is that a remote exploit?
One ring to bind them - should probably have more fiber and less rings in their diet.
Taking a computer that obeys audio instructions, and playing it some audio instructions, is more of a 'duh' than an 'exploit'. But this problem is a very Good Thing. It can only mean:
-- EITHER people stop yakking on about voice computing, which has been the Way Of The Future since about 1935 or something
-- OR pressure is exerted on web designers to NOT make sites that start making noise the moment the page appears!
Either of these, but especially the latter, would be a big win. So here's to you, Mr. Exploit Finding Man!
Whence? Hence. Whither? Thither.
c:> Dear aunt, let's set so double the killer delete select all: Command not found
I wouldn't call it a bug. I'd call it a very bad idea to use a microphone without a switch for voice recognition. Your television could theoretically do things on your computer. Does that sound like a possibility you want to entertain? Get a mic with a switch, or get rooted.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
All voice recognition software, no matter what platform, would suffer from this supposed "exploit". So why this article on Vista specifically? What is the real agenda here? Also, if the voice recognition software is trained for a specific user's voice, the chances of an exploit are reduced.
"Open Terminal For Matt See Yes Im sure Reice Tart!!"
More than ten years ago I was playing with the speech recognition software that shipped with MacOS 7 or something and I though being able to check my e-mail without getting out of bed was pretty cool. At the time I wrote something about the technology and predicted that speech activated commands would never take off until: 1, most audio people listened to was controlled by the computer, and 2, the computer was smart enough to filter out the sounds it was emitting before processing commands. At the time a lot of people listened to music from their computer and I imagine many still do. Why can't the computer ignore all that sound? It knows it is outputting it so why not filter it? It is sad that the same missing feature is still a problem, so many years later.
I just watched 2001: A Space Odyssey on my machine... this may be my last post.
Years ago when I worked in a shop that used OS/2 (one late version of which included speech recognition), we used to play pranks on each other all the time using that 'feature'. Things like changing a startup sound to be two minutes of silence followed by a verbal shutdown command, or changing confirmation prompt sounds to be 'cancel'. Good fun. The random 'select all / delete / yes' was the best, though.
The geek watching Andromeda. "Fire all missles"
Fight Spammers!
I mean, look:
"Microsoft has said that even if the machine was primed to accept voice commands it would be unlikely the user would not be in the room to hear the file with malicious instructions being played."
Yeah, nobody ever leaves their computer unattended.
And of course, it would be completely impossible for a Trojan to pipe appropriate sounds directly to the input buffer of the sound hardware, thus negating the need for it to be played through your speakers at all. As we all know, Windows is completely watertight against that sort of thing.
This raises an interesting possibility, though - what if you could confuse the recogniser itself into making false positives? You could, for example, persuade it to recognise silence as a command of your choosing.
Best way round this is probably to prevent people doing potentially destructive operations via voice commands. But if this isn't suitable, you could employ clever confirmation strategies, like "If you're sure you want to delete c:\windows, please say the following words..." with the words in question being drawn from a dictionary. No malware could anticipate the sequence (although I suppose you could set the recogniser to work against itself, by playing the text-to-speech engine's own output back to it and triggering recognition).
Hmm. Promises to be quite fun, this.
to create malicious audio files with OS X (10.3 or later), fire up Terminal and use 'say': :-)
$ echo "format sea slash you" | say -o evil.aiff
This makes your messages with a nice, clear, even voice--wouldn't want a bunch of 'um's and 'ah's borking up your exploit, now would you.
`man say` for more options.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
If they don't prevent them from running arbitrary commands, you know 5 years in the future that every time term end comes around there will be some naked freshman running through the uni library/labs shouting "quit without saving! yes! reboot! yes! shutdown -h now!"
Me and my friends have been waiting for this and joking about it since IBM Via Voice and Dragon Speak. A whole new era of IT pranks and cyberterrorisim awaits us. Imagine bursting into a room full of PCs and yelling
:-)
"FORMAT DRIVE C! CONFIRM!".
Instant fun.
Makes me feel all soft and gooshy inside just thinking of it.
We suffer more in our imagination than in reality. - Seneca
Userfriendly had predicted the fate of voice recognition six years ago - rm -rf / and yet again !.
Quidquid latine dictum sit, altum videtur
I am shocked! Damn you Bill, I really believed you when you said Vista is "dramatically more secure than any other operating system released". My world view is turned upside down now :(
We often refuse to accept an idea merely because the tone of voice in which it has been expressed is unsympathetic to us
Find office with 10 or 15 stations with shiny new copies of Vista. Verify through other means that mics and voice commands are on. Run in, and yell as loud as you can the commands that will shut down the machines. Don't run out yet!
Watch people panic at their keyboards. Listen to their gasps as the hard disk spins down and their monitors cut off, at which point they all stare at you. Wave. And then run.
An exploit is, by definition, a successful manipulation of a bug/omission/hole/whatever in a computer system to make it perform something that it was not designed to do. Usually this term is only applied when said action is harmful or potentially harmful.
What is being described here is the possibility of controlling the voice recognition system in Vista remotely to make it perform potentially harmful tasks. Furthermore, this functionality is not something that said system was designed to do; it was only designed to accept commands via microphone.
Therefore, what is being described here is an exploit.
Q.E.D.
I hear there's rumors on the Slashdots
I expect someone to come up with a site that says:
"Start Internet Explorer"
"Go aytch tee tee pee colon slash slash gee oh ay tee ess ee dot see ex"
Brrr...
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
Adrian responded to this on the Microsoft Security Response Blog.
Issue regarding Windows Vista Speech Recognition
Hey everyone this is Adrian and I am writing to try and clear up some concerns regarding a recently reported vulnerability in the Speech Recognition feature of Windows Vista. An issue has been identified publicly where an attacker could use the speech recognition capability of Windows Vista to cause the system to take undesired actions. While it is technically possible, there are some things that should be considered when trying to determine what the threat of exposure is to your Windows Vista system.
He goes on to list reasons why this is not a major issue. The first being that voice commands have to be turned on and configured for this to work.
He ends with
While we are taking the reports seriously and investigating them accordingly I am confident in saying that there is little if any need to worry about the effects of this issue on your new Windows Vista installation.
I think he's right. If this was a serious problem, the MacOS and OS/2 "exploits" mentioned above would've received a lot more press. Still, I expect in a future version, the voice software will be smart enough to ignore the computer's own output.
Personally, I don't like voice commands. They are necessary for users with certain impairments and useful for certain applications such as kiosks, but they are counterproductive in a shared-office environment and just plain weird on my desktop. Even on Star Trek - The Next Generation much of the computer input was via control consoles not voice.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Now I see why Microsoft doesn't want you to change the Vista startup sound.
Time to quote a usenet classic:
Last year, out in California, at a PC users group, there was a demo of
smart speech recognition software.
Before the demonstrator could begin his demo, a voice called out from the
audience:
"Format c, return."
"Yes, return."
Damned short demo, it was.
OS Reviews: Free and Open Source Software
When your machine room starts doing a gregorian chant...
I have worked on both at Apple on PlainTalk and at MS Research on speech. When I was at Apple (around 1996) I poked my head into a co-worker's office who was testing PlainTalk and said loudly "Computer Shut Down". His computer then started shutting down. This "exploit" has been on the Mac since 1996 and nobody seems to have complained about it. I don't think it's a big deal.
PC: Hi I'm a PC
Mac: and I'm a Mac
PC: I have a cool new feature called voice control.
Mac: That is stupid. I have the Time-Machine which let's you recover old documents. Let's say you accidently delete the documents folder
PC: Okay
Mac: To get you documents back, all you have to do is slide the time machine back one minute.
PC: Sounds cool, but cant you just get the documents out of the trash?
Mac: Yes, but it works even if you accidentally empty the recycle bin
70% of statistics are made up.
PC: Hi I'm a PC ...
Mac: I hope he has his XP install CD handy....
Mac: and I'm a Mac
PC: I have a cool new feature called voice control.
Mac: That is stupid. I've had secure voice control for years
PC: Yes, but with your primitive voice control, the statements had to be in the right format, see?
Mac: OK, but that's why we call it secure. The user has to select a keyword that will trigger the commands.
PC:
PC: Hi! I'm a PC!
Mac: And I'm a Mac!
PC: I have a cool new feature called Voice Control!
Mac: FORMAT C!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Am I the only one who thought "Nam-shub of Enki" when I read this?
Yes.
I hereby place the above post in the public domain.