Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Bypassed Windows Password Locks With Cortana Voice Commands (vice.com)

Posted by msmash on from the security-woes dept.

Two independent Israeli researchers found a way for an attacker to bypass the lock protection on Windows machines and install malware by using voice commands directed at Cortana, the multi-language, voice-commanded virtual assistant that comes embedded in Windows 10 desktop and mobile operating systems. From a report: Tal Be'ery and Amichai Shulman found that the always-listening Cortana agent responds to some voice commands even when computers are asleep and locked, allowing someone with physical access to plug a USB with a network adapter into the computer, then verbally instruct Cortana to launch the computer's browser and go to a web address that does not use https -- that is, a web address that does not encrypt traffic between a user's machine and the website. The attacker's malicious network adapter then intercepts the web session to send the computer to a malicious site instead, where malware downloads to the machine, all while the computer owner believes his or her machine is protected.

55 of 90 comments (clear)

  1. Physical access by Gavagai80 · · Score: 4, Informative

    Since this requires physical access, I propose an alternate method: unscrew the laptop and put whatever devices you want inside.

    --
    This space intentionally left blank
    1. Re:Physical access by Anonymous Coward · · Score: 2, Funny

      The manufacturers have already done that!

    2. Re:Physical access by Anonymous Coward · · Score: 1

      Hey, lets see you put whatever devices you want inside a machine with bitlocker enabled ! Oh wait, that's right, it will lock itself down and say the hardware changed. On the other hand, this exploit of Cortana will allow you to bypass bitlocker and defeat the security....

    3. Re:Physical access by Anonymous Coward · · Score: 1

      Why a machine that is "in sleep and locked" does open a browser following user input? This means it's not so locked. And there's the user session still running so that may be a more interesting target than an encrypted turned off PC.

    4. Re: Physical access by Monster_user · · Score: 1

      This does not require physical access. A device can be reasonably securedfrom tampering, but stillbe accessible by various interfaces. Physical access is typically available when one has access to the microphone, but physical access isn't required in all possible scenarios.

    5. Re:Physical access by sgrover · · Score: 1

      we will wait while you think this one through....

    6. Re:Physical access by Ragnarok89 · · Score: 1

      If you can plug in a USB key, there's a much easier way to access the PC. Just install Kon-boot on the USB drive first, plug it in, and boot the PC. You're in. This works on Workgroup and Domain PCs, Servers, etc. Not sure what username to use? Try administrator...

      As for the subject of the original article: way to go MS... EPIC fail. Can't say I'm surprised though.

    7. Re:Physical access by OrangeTide · · Score: 1

      swap their Surface Book with an identical looking one that you have modified. They might be surprised the next time they turn it on that they have to log in again to sync their cloud data, but this is the perfect time to hijack their passwords and accounts.

      --
      “Common sense is not so common.” — Voltaire
    8. Re:Physical access by zlives · · Score: 1

      o man, this one never fails. works on iphones too

    9. Re:Physical access by thegarbz · · Score: 1

      unscrew the laptop and put whatever devices you want inside

      What's a screw? Mine is held together by glue and I couldn't get in myself even if I wanted to.

    10. Re:Physical access by Khyber · · Score: 1

      Heat guns work on pretty much every adhesive, including solder.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    11. Re:Physical access by WaffleMonster · · Score: 1

      Since this requires physical access, I propose an alternate method: unscrew the laptop and put whatever devices you want inside.

      Physical access is irrelevant in this case. From TFA:

      "allowing someone with physical access to plug a USB with a network adapter into the computer, then verbally instruct Cortana to launch the computer's browser and go to a web address that does not use httpsâ"that is, a web address that does not encrypt traffic between a user's machine and the website."

      In other words it is not necessary to install a BIW device. Any bad actor could intercept traffic at any point along the path or one could operate their own malicious site with the same effect pulling off the same stunt without ever touching the system in question.

    12. Re:Physical access by edtice1559 · · Score: 1

      That won't let you access any of the data, at least not if BitLocker is on. If you modify the hardware configuration, the TPM won't prouce the BitLocker key and the machine won't boot. It's just generic hardware at that point.

    13. Re: Physical access by c6gunner · · Score: 1

      If you can plug in a USB key, there's a much easier way to access the PC. Just install Kon-boot on the USB drive first, plug it in, and boot the PC.

      Doesn't work if the device is encrypted. Doesn't work if BIOS doesn't allow booting from USB. Probably won't work on most modern devices which have secure boot enabled by default.

      (Don't quote me on the last one)

    14. Re:Physical access by Calydor · · Score: 1

      This one has the advantage of not requiring a reboot, which means you can plug the USB in, do the voice commands, remove the USB, and the owner that returns from the bathroom a moment later will be none the wiser - the screen comes back up right on the Facebook post they were reading before.

      --
      -=This sig has nothing to do with my comment. Move along now=-
    15. Re: Physical access by c6gunner · · Score: 1

      Heat guns work on pretty much every adhesive, including solder.

      The good news is, I got the cover off. The bad news is, there's a bunch of little chippy things rattling around.

    16. Re:Physical access by thegarbz · · Score: 1

      Heat guns work on pretty much every adhesive, including solder.

      I take it you haven't looked at the iFixit scores for some tablets. In many cases it's pretty much impossible to get into some devices without destroying the screen in the process.

    17. Re:Physical access by Khyber · · Score: 1

      Half the time they aren't even using the proper equipment, (get a real spudger, guys) so I don't bother with their reviews.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    18. Re: Physical access by kwbauer · · Score: 1

      Monster_user can Harry Potter the USB NA into the port. No physical contact necessary. That is why he is a monster!

    19. Re: Physical access by c6gunner · · Score: 1

      Good since you are pretty much incorrect. Secure boot just require secure boot enable boot device and os like windows pe or a number of linux distros for example

      Yeah, I tried that. Couldn't get the Linux iso to boot until I finally went into the windows settings and told it to allow it. And yes, the iso was secure boot enabled.

      But I definitely don't have a comprehensive understanding of how secure boot is supposed to work, which is why I added that disclaimer.

    20. Re:Physical access by thegarbz · · Score: 1

      Half the time they aren't even using the proper equipment, (get a real spudger, guys) so I don't bother with their reviews.

      Yeah indeed, let's complain about the people who open devices for a living don't have the right equipment and then draw parallels to some field based quick espionage.

    21. Re:Physical access by Khyber · · Score: 2

      "Yeah indeed, let's complain about the people who open devices for a living"

      No, they make videos for a living. I open devices for a living, far more than they have ever done. Hundreds of thousands in repair depots around the country.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    22. Re: Physical access by Monster_user · · Score: 2

      The USB was not required. It was merely a VERY effective means of exploiting this weakness.

      The USB allowed a direct Man in the Middle attack, which is why it doesn't work for HTTPS sites. A highly coordinated effort does not require physical access to the machine itself, on a weak link in key infrastructure and audible proximity to the device in question.

      The USB adapter serves the same purpose as a poisoned DNS cache or routing table.

      The USB device did not install software, Cortana did, as she was instructed to do so.

    23. Re: Physical access by Monster_user · · Score: 1
      Further down it was propose that an infected computer in an office could similarly infect neighboring computers via voice commands. Infect one machine through a locked door, and get the entire office infected overnight.

      "So this attack is not only limited to the physical access scenario but also can be used by attackers to expand their access and jump from one computer to another"

    24. Re:Physical access by bill_mcgonigle · · Score: 1

      (get a real spudger, guys)

      But from where?

      https://www.ifixit.com/Search?...

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  2. Nope by h8sg8s · · Score: 2

    Just another reason to not use Cortana or any of the other voice-activated appliances from Amazon, Apple, Google, etc.

    --
    Organization? You must be joking..
    1. Re:Nope by Sperbels · · Score: 1

      Logic failure. It is a reason not use Cortana. It's not a reason to not use Amazon, Apple, or Google.

    2. Re:Nope by Cinnamon+Beige · · Score: 1

      Just another reason to not use Cortana or any of the other voice-activated appliances from Amazon, Apple, Google, etc.

      Or have it not respond to vocal commands without a password, preferably one locked to a voice print and not just specific words, when locked down. However, given that I doubt anybody making these products will institute such a basic level of security until it's established that they cannot shift responsibility for security to a user when they either did not have the ability to secure it available, or what ought to be a basic security option only offered via a series of hidden super-sekret commands with few people even aware that they exist, no less how to access them.

    3. Re:Nope by zlives · · Score: 1

      limiting exposure is never a logic fail. what are the chances that the other software vendors don't have a zero day exploit on code written by monkeys.
      you have to do a cost analysis.

    4. Re:Nope by magarity · · Score: 1

      Logic failure. It is a reason not use Cortana. It's not a reason to not use Amazon, Apple, or Google.

      How do you know it isn't via Siri that the security firms get into Apple devices?

  3. History repeats by lucasnate1 · · Score: 4, Interesting

    In the past, you could hack into old windows machines by pressing F1 at password prompt. If the help file was missing, it would ask you to browse and find it, which would allow you to right click on executables and run them. Nice to see that some things never change.

    --
    Avantgarde Hebrew science fiction
    1. Re:History repeats by WallyL · · Score: 1

      I used the old method of swapping in command.exe as sethc.exe from some bootable medium, and then booting back to windows. Ta-da! Ownage of the administrator account.

    2. Re:History repeats by thegarbz · · Score: 4, Interesting

      You didn't even need a missing help file. If you could open the help bubble you could right click and click print. Then from the print dialogue you could open a proper windows help screen. From there if you opened the index search and opened a different help topic you'd get a full windows help screen with menubar. Then just click file, open, navigate to the windows folder, right click on explorer.exe and run it.

  4. Easily fixed by Anonymous Coward · · Score: 2, Informative

    It is a relatively simple matter to configure Cortana to ignore commands when the voiceprint of the issuer is not the owner of a machine account. Simply enabling this option would prevent this type of attack.

    1. Re:Easily fixed by ausekilis · · Score: 1

      You're putting a lot of trust in Grandma and Grandpa knowing how to dig into Cortana's config and enable it.

      Not everyone has a family member that can/will help protect them from themselves.

    2. Re:Easily fixed by sgrover · · Score: 1

      An OS security hole is an OS security hole - regardless whose computer it is on. If it is on Grandma's computer, then it is on Bob's Small Business computers, or Jane's government computer. Situations always come up where the best effort by skilled techs are rendered meaningless and only the core OS protections are left. If your core OS defaults to an unsafe setup, then that is a problem. I think Listening while in sleep mode is unsafe at anytime. Now, if an attacker has physical access to your device in the first place, then you have a different problem that needs to be solved. Probably first.

    3. Re: Easily fixed by Monster_user · · Score: 1

      It is also worth noting, this does not require physical access, merely physical proximity.

    4. Re:Easily fixed by kwbauer · · Score: 1

      But saying that Bob or Jane cannot be expected to have more knowledge than Grandma and Grandpa is a departure from the path.

      "Hey, this is fixable by doing X"

      "Retired old farts can never be taught to do X"

      "What do retired old farts have that somebody would physically break into their house to mess with their computer"

      "What about government employee's with Top Secret clearance?"

      Okay, I give up. sgrover is correct. As long as we hand out Top Secret clearances to people as unreliable as Hillary Clinton, we can never be secure.

    5. Re: Easily fixed by Monster_user · · Score: 1

      No. It involves intercepting unencrypted traffic over the network. The USB NIC is only a foolproof option to guarantee that the traffic is intercepted.

  5. Physical access by chaotixx · · Score: 4, Informative

    If a determined attacker has physical access to your machine you've lost via any number of methods.

  6. Marketing over security by swb · · Score: 4, Insightful

    Wow, what a fail by Microsoft. It should be beyond obvious to anyone with a pulse that not providing a way to completely disable Cortana opens computers up to an entire Pandora's box of security vulnerabilities.

    It's totally obvious Microsoft is just jamming this down everyone's throat, especially business users, because they know they can get big (and mostly bullshit) "adoption" numbers and operational data for Cortana.

    Of course the larger problem is nobody wants Microsoft's bullshit attempts to re-invent themselves as Google, Amazon/Alexa or Apple/Siri. So they will cram it down everyone's throats and get some minor level of usage just because it's there even though it aggravates most everyone else.

  7. Just disable it by ourlovecanlastforeve · · Score: 1

    Since the last big Windows update Cortana was coming up every time I touched the touchpad, so I just removed Cortana entirely with a Powershell script I found on the Internet.

  8. hardware limitations by Gilgaron · · Score: 1

    Do these voice assistants respond to any sound frequencies the microphone can pick up? You might be able to pull this off with something people can't hear well, too, if you can trick the algorithm into matching your out of human hearing band to speech.

    1. Re:hardware limitations by SandorZoo · · Score: 1

      They can do, yes. The article links to a piece about a so-called dolphin attack, that gets voice assistants to respond to ultrasonic signals.

  9. What does the network adapter have to do with it? by Anonymous Coward · · Score: 2, Interesting

    I don't get it. The attack as described involves plugging in a compromised network adapter so that you can tell Cortana to go to an insecure website, and instead direct the machine to a different site that serves malware. Why not skip the network adapter, and just tell Cortana to go straight to a malware site instead?

  10. In a related tactic ... by CaptainDork · · Score: 1

    ... hackers do a home invasion and make the user type in stuff.

    --
    It little behooves the best of us to comment on the rest of us.
  11. I thought that Cortana was useless by OneHundredAndTen · · Score: 1

    However, this seems to prove that it is worse than useless.

  12. Re:Nope, Not enough by BoRegardless · · Score: 1

    If you have proprietary or sensitive info, it ought to be only on a non-connected PC/Mac, whatever.

    There are too many bugs in Windows. I don't care what promises Microsoft and Satya have to say.

  13. Checklist by thegreatbob · · Score: 1

    No Cortana? Check. We're good.

    --
    There is no XUL, only WebExtensions...
  14. Re:What does the network adapter have to do with i by scdeimos · · Score: 1

    I also don't get it: at what point does Windows decide a newly plugged-in USB network adapter should get all traffic routed to it instead of the existing cable/Wi-Fi connection?

    If the weakness is Cortana always listening and able to be directed to a non-SSL web site why not attack the Wi-Fi access point or the modem/router?

  15. Re:What does the network adapter have to do with i by scdeimos · · Score: 1

    I also don't get it: at what point does Windows decide a newly plugged-in USB network adapter should get all traffic routed to it instead of the existing cable/Wi-Fi connection?

    Because this is /. and I didn't read TFA, here's the answer to my own question:

    "One of the things we saw was that even when a machine is locked, you can choose the network to which that machine is attached," he notes.

    That's just fucking stupid.

  16. Novel Idea by DarthVain · · Score: 1

    or perhaps best suited for a movie...

    but I somehow would like to see someone remotely hack an Alexa to utter voice commands to Cortana, to bypass Windows security and gain access to "sensitive files"...

    Who knows maybe they will get into an argument, or have built in hard-coding to give each other the silent treatment.

    As far as the movie option, it'll probably never happen as the producers would probably get sued into oblivion by the tag team of Amazon and Microsoft...

    1. Re:Novel Idea by kwbauer · · Score: 1

      Nah, the script will have Cortexa talking to Alana. No trademarks infringed.

  17. that lockscreen tho by bobmajdakjr · · Score: 1

    it does bother me though that the shutdown and network select is on the lock screen and works without any verification. has since forever.

  18. insecure by design levels up by epine · · Score: 1

    People used to say "a woman's work is never done". At least this story conveys a hint of gender parity.