Microsoft last week issued a patch to Windows 10 machines for a vulnerability that allowed hackers to use Cortana voice commands to sneak past the operating system’s lock screen protections. But just what could hackers have done, and what could they still do to unpatched machines?
In videos put together for Forbes, Israeli researchers from the Technion Israeli Institute of Technology showed what was possible, whether it was executing a program or viewing a private document (such as a list of passwords) from behind the lockscreen, proving just how problematic Microsoft’s Cortana can be.
The weakness was found separately by McAfee researchers, and Yuval Ron and Ron Marcovich, software engineering students at the Technion Israeli Institute of Technology, as part of a project overseen by independent security researchers Amichai Shulman and Tal Be’ery.
Microsoft patched the weaknesses last Patch Tuesday. Users are advised to update as soon as they can.
The researchers found that when Cortana processes are triggered on a locked screen, Windows will also accept keyboard inputs. “When you invoke Cortana on a locked machine, you can basically type in any command you want on that machine,” Schulman told Forbes. “That gives you a whole [range] of capabilities that can expose sensitive information on the computer, but mainly what we’re able to create is a proof of concept that just goes to the internet, downloads code and executes on a locked machine.” From there, hackers could install whatever they wanted.
“It’s as stupid and easy as it sounds,” Schulman added.
The main barrier to entry is the need to have physical access to a Windows PC. But the researchers are now exploring ways in which to exploit Windows 10 via Cortana from afar. “There’s a way, a quite trivial way, to trigger voice activated commands from afar… but you also need access to the keyboard. Using remote desktop protocol, you could do that,” Be’ery said.
Whilst it was possible to have a nearby computer trigger Cortana from a distance, the researchers weren’t able to trigger the just-patched vulnerability for unknown reasons, he added. “We suspect there’s a way to do it and we’ll continue to search.”
Ultimately, Be’ery added, Microsoft could consider limiting Cortana access from the lockscreen. “Microsoft is creating a bigger attack service by adding functionality to Cortana.”