McAfee Labs Advanced Threat Research team found a vulnerability with Windows 10 and Cortana voice assistant. This opens a new can of worms about the security of voice assistant technology.
Before you panic and go mum on Cortana, Microsoft has a fix. It is in the 12 June patch Tuesday – just do it. If not, turn Cortana voice assistant off on the lock screen.
But McAfee’s findings reflect deeper issues.
First, AI and machine learning’s use by both the good and bad guys. Vulnerability discoveries in all operating systems including IoT devices are on the up. Fortunately, patch times are getting shorter.
Second, voice assistants are a new security hole to be exploited.
McAfee found Cortana voice assistant vulnerabilities months ago
Siri, Alexa, Google Assistant, and Cortana voice assistants have become commodities in many tech-savvy homes. They can tell jokes to help with the grocery list or turning on lights. These vaguely human voices are beginning to feel much more personal. All part of the grand plan to expand their roles in our daily lives.
You need to be aware of the increased risk of built-in voice assistants. McAfee says they can be new attack vectors for laptops, tablets, and smartphones.
Using “Hey Cortana!” to Retrieve Confidential Information
In Windows 10 (recent builds) the default settings enable “Hey Cortana” from the lock screen. This allows anyone to interact with the voice-based assistant before the device is unlocked.
Basically by asking Hey Cortana, PAS” or typing ‘PAS’ (but not pass or password) in the dialogue box it revealed Passwords.txt and other password related files.
This allows an expert to surmise specific keywords that could start to harvest confidential information from the device.
Code Execution from the Windows Lock Screen
McAfee found three ways for an unauthenticated attacker to get results to show up in the index of an authenticated user.
Logging into a Locked Device with no User Interaction
The simplicity and effectiveness of what comes next is amazing.
- Trigger Cortana via “Tap and Say” or “Hey Cortana”
- Ask a question (this is more reliable) such as “What time is it?”
- Press the spacebar, and the context menu appears
What comes next is a password reset and log in on a Windows 10 build, using only this simple technique.
GadgetGuy’s take – any publicity about voice assistant security is good publicity
This is not Microsoft bashing – Linux lovers do that well enough. It shows how voice assistants are a new frontier and how pioneers often die with arrows in their backs.
There is an understandable fear around smart speakers as these devices integrate, or is that ingratiate in our lives. They have the potential to listen in on our every conversation.
We have already seen Alexa
- spying (now fixed)
- voice recordings forwarded to those in contacts (don’t know why)
- Echo laughing for no reason (not at you, with you)
- And proof that Echo is eminently hackable. An Alexa skill partner has developed a skill that turns Echo into an eavesdropping spy device – great for kids behind locked doors.
So far Google Assistant has no such quirks, but it, like Alexa et al. does keep a list of everything you ask OK Google. Yes, you can delete that.
Siri has a clean record too. Hey Cortana – you were busted.
Overall that is what happens when a new tech emerges. The code will have holes in it for some time – live with it.