Windows 10 Can Be Hacked with Voice Commands Despite Password Protection

[tao]

Researchers find way to get around password locking

Independent Israeli security researchers Tal Be'ery and Amichai Shulman discovered that it’s possible for hackers to bypass the password lock in Windows 10 and to take advantage of the way Cortana is implemented in the operating system to compromise any device and deploy malware.

Digital assistant Cortana is now available from the Windows 10 lock screen as well even if the computer is locked, but the always-listening behavior opens the door to a series of vulnerabilities which the two researchers exploited to deploy malware.

In an analysis for Motherboard, the two experts explain that if physical access to the target system is available, hackers could connect a USB network adapter and then using voice commands they can have the digital assistant access non-HTTPS websites.

Using malicious code, the network interface can automatically intercept the traffic to non-secure servers and then point the computer to other hosts serving malware, in the end infecting the machine without even unlocking it.

And this isn’t the only door that Cortana leaves open on a Windows 10 computer. The researchers say that connecting a target system to a Wi-Fi network that they controlled was as easy as clicking a few options on the lock screen even if access to the system was protected by a password.

Attacks expanding to network level

The worst thing that can happen due to these vulnerabilities is hackers compromising the entire network the target system is connected to. This is possible with ARM spoofing, a more complex method that involves re-routing traffic from a compromised system to other machines in the network.

While the vulnerability can be first exploited only by having physical access to a certain system, a potential attack can then be expanded to the entire network by playing the same voice commands through the speakers of the compromised host.

“So this attack is not only limited to the physical access scenario but also can be used by attackers to expand their access and jump from one computer to another,” Be'ery was quoted as saying. “[It] very much could be like a Hollywood movie where everyone is asleep and no one is in the office and the computers come to life and are shouting at each other.”

Microsoft has already acknowledged the bug and partially addressed it by forcing browsing on a locked machine to be directed to Bing instead of a different page. Researchers, however, warn that other commands are still available and they’ll continue to look into alternative ways to bypass the password protection on Windows 10.

More information on this project will be shared by the two researchers at the Kaspersky Analyst Security Summit this week.

< Here >

 

[steven36]

Always i disable Cortana and block  it with a firewall   plus i block the whole voice processor thing with a firewall in windows 10 . Anything that has Internet access can be hacked if they can figure out  the backdoor in .

[WALLONN7]

Meanwhile in the headquarters of the safest operating system of all...

 

[steven36]

I been  plaining  to redo this pc  i got the Win 8.1 key out the  BIOS with Linux and just put Windows 8.1 back in for long time service and stability with Ubuntu  16.04  LTS.. I'm  so tired of  Windows 10  I cleaned installed over 3 months ago and  i may of used it 2 or 3 hours . I just stay in Linux,   Windows 10 just a bunch of bloatware full of stuff i don't use .

[KRS]

Microsoft's digital assistant, Cortana is deeply integrated within Windows 10. So much so that the company added it to the OOBE (Out of Box Experience) set up last year. A user may also use the assistant when the system is locked- a feature introduced in 2015. Two independent researchers from Israel found out a major loophole that may be manipulated by hackers with that functionality.

 

The flaw, which Microsoft has since fixed, allowed attackers to bypass the password-locked Windows system with the help of Cortana. Tal Be'ery and Amichai Shulman were able to separately prove that an attacker with a USB stick and physical access to the device might do some serious damage without the owner's knowledge.

Shulman told Motherboard:

"We start with proximity because it gives us the initial foothold in [a] network. We can attach the computer to a network we control, and we use voice to force the locked machine into interacting in an insecure manner with our network."

Since Windows 10 allows a device to connect to a different network while it is still locked, an attacker may connect his USB with a network adapter and command the assistant to open an unencrypted website (web address not containing https). Once Cortana opens the website (while the system is still locked), the attacker's malicious adapter will be able to intercept the session to send the device to a harmful/ malware-ridden website, instead- causing considerable damage to the PC.

Shulman conceded that the flaw would be much more "interesting" if it can be carried out remotely. The two created a proof-of-concept for this purpose called Newspeak or "Fake News" Cortana, which observes all the Cortana activity on every device on a network. For instance, if a user commands the assistant to open CNN.com, the hacker's proxy intercepts that request and sends them to a malicious page instead.

Be'ery claimed that the main issue lies with newer interfaces that weren't prone to security oversight:

"We still have this bad habit of introducing new interfaces into machines without fully analyzing the security implications of it. Every new machine interface that we introduce creates new types of vehicles to carry an attack vector into your computer."

Microsoft has since issued a fix to the problem. Now, a command to open an unencrypted website goes through Bing. However, the researchers remain skeptical. They will continue to look for any further flaws that may be exploited by the attackers. Another method that may mitigate similar attacks is to "train" the digital assistant to respond to only your voice in Cortana settings.

 

Source

[DKT27]

@KRS: Topics merged.