Two independent Israeli researchers have found a loophole with Microsoft’s digital assistant- Cortana. The assistant can be used by anyone with malicious intent to bypass a locked PC.
Microsoft’s digital assistant, Cortana is deeply integrated within Windows 10. So much so that the company added it to the OOBE (Out of Box Experience) set up last year. A user may also use the assistant when the system is locked- a feature introduced in 2015. Two independent researchers from Israel found out a major loophole that may be manipulated by hackers with that functionality.
The flaw, which Microsoft has since fixed, allowed attackers to bypass the password-locked Windows system with the help of Cortana. Tal Be’ery and Amichai Shulman were able to separately prove that an attacker with a USB stick and physical access to the device might do some serious damage without the owner’s knowledge.
Shulman told Motherboard:
Since Windows 10 allows a device to connect to a different network while it is still locked, an attacker may connect his USB with a network adapter and command the assistant to open an unencrypted website (web address not containing https). Once Cortana opens the website (while the system is still locked), the attacker’s malicious adapter will be able to intercept the session to send the device to a harmful/ malware-ridden website, instead- causing considerable damage to the PC.
Shulman conceded that the flaw would be much more «interesting» if it can be carried out remotely. The two created a proof-of-concept for this purpose called Newspeak or «Fake News» Cortana, which observes all the Cortana activity on every device on a network. For instance, if a user commands the assistant to open CNN.com, the hacker’s proxy intercepts that request and sends them to a malicious page instead.
Be’ery claimed that the main issue lies with newer interfaces that weren’t prone to security oversight:
Microsoft has since issued a fix to the problem. Now, a command to open an unencrypted website goes through Bing. However, the researchers remain skeptical. They will continue to look for any further flaws that may be exploited by the attackers. Another method that may mitigate similar attacks is to «train» the digital assistant to respond to only your voice in Cortana settings.
Source: Motherboard
