Researchers Bypassed Windows Password Locks With Cortana Voice Commands

Two independent Israeli researchers found a way for an attacker to bypass the lock protection on Windows machines and install malware by using voice commands directed at Cortana, the multi-language, voice-commanded virtual assistant that comes embedded in Windows 10 desktop and mobile operating systems. From a report: Tal Be'ery and Amichai Shulman found that the always-listening Cortana agent responds to some voice commands even when computers are asleep and locked, allowing someone with physical access to plug a USB with a network adapter into the computer, then verbally instruct Cortana to launch the computer's browser and go to a web address that does not use https -- that is, a web address that does not encrypt traffic between a user's machine and the website. The attacker's malicious network adapter then intercepts the web session to send the computer to a malicious site instead, where malware downloads to the machine, all while the computer owner believes his or her machine is protected.

Physical access

[Gavagai80]

Since this requires physical access, I propose an alternate method: unscrew the laptop and put whatever devices you want inside.

Easily fixed

It is a relatively simple matter to configure Cortana to ignore commands when the voiceprint of the issuer is not the owner of a machine account. Simply enabling this option would prevent this type of attack.

Physical access

[chaotixx]

If a determined attacker has physical access to your machine you've lost via any number of methods.