Cortana vulnerability allows hackers to bypass Windows 10 passwords to install malware

Researches show that voice assist is a security risk

Cortana

Security researchers have discovered a flaw with Microsoft's Cortana voice assistant that could enable hackers to bypass the login screen in Windows 10 and infect a system with malware.

The Israeli researchers, Tal Be'ery and Amichai Shulman, found the vulnerability after finding out that Cortana is always on and responds to voice commands, even when a machine is locked.

According to reports by Motherboard, a hacker could plug in a USB stick with a network adapter into the computer, then tell Cortana to launch the computer's browser and go to an unencrypted URL (non-HTTP). This adaptor the intercepts this session to send the browser to a malicious website, downloading malware and infecting the system.

"We start with proximity because it gives us the initial foothold in [a] network. We can attach the computer to a network we control, and we use voice to force the locked machine into interacting in an insecure manner with our network," Shulman told the publication.

Hackers could also connect a targeted computer to a Wi-Fi network they control by simply clicking on a selected network with a mouse, even when the computer is locked.

"One of the things we saw was that even when a machine is locked, you can choose the network to which that machine is attached," said Shulman.

"We still have this bad habit of introducing new interfaces into machines without fully analyzing the security implications of it," said Be'ery. "Every new machine interface that we introduce creates new types of vehicles to carry an attack vector into your computer."

The researchers will present the findings in a presentation at the Kaspersky Analyst Security Summit in Cancun this week.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Recommended

Third-party apps are tracking your WhatsApp activity
social media

Third-party apps are tracking your WhatsApp activity

21 Sep 2020
Ransomwiz lets you test your security with simulated ransomware
ransomware

Ransomwiz lets you test your security with simulated ransomware

21 Sep 2020
Best free malware removal tools 2020
Security

Best free malware removal tools 2020

21 Sep 2020
Windows Server flaw sparks emergency US gov warning
vulnerability

Windows Server flaw sparks emergency US gov warning

21 Sep 2020

Most Popular

Google Pixel 4a review: A picture-perfect package
Google Android

Google Pixel 4a review: A picture-perfect package

18 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020