Microsoft’s smart assistant Cortana will helpfully let hackers change a password on locked computers, access data on the device and execute malicious code, a security researcher at cybersecurity company McAfee has revealed.
The vulnerability, patched Tuesday by Microsoft, is the result of default settings that enable the “Hey Cortana” voice activation from the lock screen.
As senior principle engineer at McAfee, Cedric Cochin puts it: “This led to some interesting behavior and ultimately vulnerabilities allowing arbitrary code execution.
How it Works
The vulnerability was submitted to Microsoft as part of the McAfee Labs Advanced Threat Research team’s responsible disclosure policy, on April 23.
Describing it in a detailed blog, Cochin said of his findings: “This will come as a surprise and lies at the core of all the issues we found, but simply typing while Cortana starts to listen to a query on a locked device will bring up a Windows contextual menu”.
Any user can type text into this menu, which searches the computer’s application index and its filesystem. By typing certain words, like “pas” (as in password), this search can bring up files containing this string in their file paths or inside the file itself.
Hovering the mouse over one of these search results can reveal the file’s location on disk, or the content of the file itself (big issue if the disclosed detail is a password).
Reaction from the Cybersecurity Community
Lane Thames, a senior security researcher at Tripwire, said in an emailed statement: “Let’s turn this around and ask: Was CVE-2018-8140 a ‘real’ vulnerability or was it just a design flaw? Should Cortana be listening when the screen/system is locked? Should it be listening if you put the computer to sleep? You’ll get different responses from different people who have different use cases.”
“For example, we could conceive of a scenario where we use ‘voice printing’ to authenticate a user who might be blind that needs Cortana to do something for him or her regardless of the system being locked or not. These are design details that are hard to solve universally. In this case, Cortana was doing things when the system was locked that it probably shouldn’t have been doing and Microsoft viewed it seriously enough to be a true vulnerability and not a simple design flaw.”
Scope for Dolphin Attacks?
Larry Trowell, associate principal consultant at Synopsys, added: “While a fix for the vulnerability has been issued, there are still other areas in which these assistants can be used to carry out an attack.”
He added: “For example, I see no reason why the dolphin attacks (that came to light last year) triggering cell phone smart assistants to call numbers and launch apps couldn’t be modified to attack a distracted user. The software is neat, interesting, and fun to use. It also opens up a lot of areas that possibly haven’t been thought through properly.”
Clearly, meanwhile, if a malicious and skillful hacker is hanging about in your office or home having a chat with your computers’ voice assistant, then things are already pretty bad, but downloading Tuesday’s patches may be judicious.