Cortana vulnerability allows hackers to bypass Windows 10 passwords to install malware

Researches show that voice assist is a security risk

Cortana

Security researchers have discovered a flaw with Microsoft's Cortana voice assistant that could enable hackers to bypass the login screen in Windows 10 and infect a system with malware.

The Israeli researchers, Tal Be'ery and Amichai Shulman, found the vulnerability after finding out that Cortana is always on and responds to voice commands, even when a machine is locked.

According to reports by Motherboard, a hacker could plug in a USB stick with a network adapter into the computer, then tell Cortana to launch the computer's browser and go to an unencrypted URL (non-HTTP). This adaptor the intercepts this session to send the browser to a malicious website, downloading malware and infecting the system.

"We start with proximity because it gives us the initial foothold in [a] network. We can attach the computer to a network we control, and we use voice to force the locked machine into interacting in an insecure manner with our network," Shulman told the publication.

Hackers could also connect a targeted computer to a Wi-Fi network they control by simply clicking on a selected network with a mouse, even when the computer is locked.

"One of the things we saw was that even when a machine is locked, you can choose the network to which that machine is attached," said Shulman.

"We still have this bad habit of introducing new interfaces into machines without fully analyzing the security implications of it," said Be'ery. "Every new machine interface that we introduce creates new types of vehicles to carry an attack vector into your computer."

The researchers will present the findings in a presentation at the Kaspersky Analyst Security Summit in Cancun this week.

Featured Resources

Shaping the workplaces of the future

Rise to the challenge

Download now

Enabling a hybrid future

A guide to setting up new working practices

Download now

Seven steps to successful digital innovation and transformation

What to invest in and what to avoid when pursuing digital transformation

Watch now

Defend your organisation from evolving ransomware attacks

Learn what it takes to reduce risk and strengthen operational resiliency

Download now

Recommended

FBI still frowns on ransomware payments
ransomware

FBI still frowns on ransomware payments

11 Jun 2021
AttackIQ teams with VMware to offer expert advice on network security
Security

AttackIQ teams with VMware to offer expert advice on network security

11 Jun 2021
CD Projekt acknowledges stolen data is being circulated online
ransomware

CD Projekt acknowledges stolen data is being circulated online

11 Jun 2021
JBS pays $11 million ransom following cyber attack
ransomware

JBS pays $11 million ransom following cyber attack

10 Jun 2021

Most Popular

Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021
GitHub to prohibit code that’s used in active attacks
cyber security

GitHub to prohibit code that’s used in active attacks

7 Jun 2021
WWDC 2021: Apple unveils iOS 15, macOS Monterey and more
iOS

WWDC 2021: Apple unveils iOS 15, macOS Monterey and more

8 Jun 2021