View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

“Hey Cortana, Help Me Hack this Laptop”

Simply typing while Cortana starts to listen to a query on a locked device will bring up a Windows contextual menu

By CBR Staff Writer

Microsoft’s smart assistant Cortana will helpfully let hackers change a password on locked computers, access data on the device and execute malicious code, a security researcher at cybersecurity company McAfee has revealed.

The vulnerability, patched Tuesday by Microsoft, is the result of default settings that enable the “Hey Cortana” voice activation from the lock screen.

As senior principle engineer at McAfee, Cedric Cochin puts it: “This led to some interesting behavior and ultimately vulnerabilities allowing arbitrary code execution.

How it Works

The vulnerability was submitted to Microsoft as part of the McAfee Labs Advanced Threat Research team’s responsible disclosure policy, on April 23.

Describing it in a detailed blog, Cochin said of his findings: “This will come as a surprise and lies at the core of all the issues we found, but simply typing while Cortana starts to listen to a query on a locked device will bring up a Windows contextual menu”.

Any user can type text into this menu, which searches the computer’s application index and its filesystem. By typing certain words, like “pas” (as in password), this search can bring up files containing this string in their file paths or inside the file itself.

Hovering the mouse over one of these search results can reveal the file’s location on disk, or the content of the file itself (big issue if the disclosed detail is a password).

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Reaction from the Cybersecurity Community

Lane Thames, a senior security researcher at Tripwire, said in an emailed statement: “Let’s turn this around and ask: Was CVE-2018-8140 a ‘real’ vulnerability or was it just a design flaw? Should Cortana be listening when the screen/system is locked? Should it be listening if you put the computer to sleep? You’ll get different responses from different people who have different use cases.”

“For example, we could conceive of a scenario where we use ‘voice printing’ to authenticate a user who might be blind that needs Cortana to do something for him or her regardless of the system being locked or not. These are design details that are hard to solve universally. In this case, Cortana was doing things when the system was locked that it probably shouldn’t have been doing and Microsoft viewed it seriously enough to be a true vulnerability and not a simple design flaw.”

Scope for Dolphin Attacks?

Larry Trowell, associate principal consultant at Synopsys, added: “While a fix for the vulnerability has been issued, there are still other areas in which these assistants can be used to carry out an attack.”

He added: “For example, I see no reason why the dolphin attacks (that came to light last year) triggering cell phone smart assistants to call numbers and launch apps couldn’t be modified to attack a distracted user. The software is neat, interesting, and fun to use. It also opens up a lot of areas that possibly haven’t been thought through properly.”

Clearly, meanwhile, if a malicious and skillful hacker is hanging about in your office or home having a chat with your computers’ voice assistant, then things are already pretty bad, but downloading Tuesday’s patches may be judicious.


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.