McAfee Labs Advanced Threat Research team found a vulnerability with Windows 10 and Cortana voice assistant. This opens a new can of worms about the security of voice assistant technology.
Before you panic and go mum on Cortana, Microsoft has a fix. It is in the 12 June patch Tuesday – just do it. If not, turn Cortana voice assistant off on the lock screen.
But McAfee’s findings reflect deeper issues.
First, AI and machine learning’s use by both the good and bad guys. Vulnerability discoveries in all operating systems including IoT devices are on the up. Fortunately, patch times are getting shorter.
Second, voice assistants are a new security hole to be exploited.
McAfee found Cortana voice assistant vulnerabilities months ago
Siri, Alexa, Google Assistant, and Cortana voice assistants have become commodities in many tech-savvy homes. They can tell jokes to help with the grocery list or turning on lights. These vaguely human voices are beginning to feel much more personal. All part of the grand plan to expand their roles in our daily lives.
You need to be aware of the increased risk of built-in voice assistants. McAfee says they can be new attack vectors for laptops, tablets, and smartphones.
Using “Hey Cortana!” to Retrieve Confidential Information
In Windows 10 (recent builds) the default settings enable “Hey Cortana” from the lock screen. This allows anyone to interact with the voice-based assistant before the device is unlocked.
Basically by asking Hey Cortana, PAS” or typing ‘PAS’ (but not pass or password) in the dialogue box it revealed Passwords.txt and other password related files.
This allows an expert to surmise specific keywords that could start to harvest confidential information from the device.
Code Execution from the Windows Lock Screen
McAfee found three ways for an unauthenticated attacker to get results to show up in the index of an authenticated user.
Logging into a Locked Device with no User Interaction
The simplicity and effectiveness of what comes next is amazing.
- Trigger Cortana via “Tap and Say” or “Hey Cortana”
- Ask a question (this is more reliable) such as “What time is it?”
- Press the spacebar, and the context menu appears
What comes next is a password reset and log in on a Windows 10 build, using only this simple technique.
GadgetGuy’s take – any publicity about voice assistant security is good publicity
This is not Microsoft bashing – Linux lovers do that well enough. It shows how voice assistants are a new frontier and how pioneers often die with arrows in their backs.