Hey Cortana, Help Me Hack this Laptop
The vulnerability, patched Tuesday by Microsoft, is the result of default settings that enable the Hey Cortana voice activation from the lock screen.
As senior principle engineer at McAfee, Cedric Cochin puts it: This led to some interesting behavior and ultimately vulnerabilities allowing arbitrary code execution.
The vulnerability was submitted to Microsoft as part of the McAfee Labs Advanced Threat Research teams responsible disclosure policy, on April 23.
Describing it in a detailed blog, Cochin said of his findings: This will come as a surprise and lies at the core of all the issues we found, but simply typing while Cortana starts to listen to a query on a locked device will bring up a Windows contextual menu.
Any user can type text into this menu, which searches the computers application index and its filesystem. By typing certain words, like pas (as in password), this search can bring up files containing this string in their file paths or inside the file itself.
Hovering the mouse over one of these search results can reveal the files location on disk, or the content of the file itself (big issue if the disclosed detail is a password).
Lane Thames, a senior security researcher at Tripwire, said in an emailed statement: Let’s turn this around and ask: Was CVE-2018-8140 a real vulnerability or was it just a design flaw? Should Cortana be listening when the screen/system is locked? Should it be listening if you put the computer to sleèp? You will get different responses from different people who have different use cases.
For example, we could conceive of a scenario where we use voice printing to authenticate a user who might be blind that needs Cortana to do something for him or her regardless of the system being locked or not. These are design details that are hard to solve universally. In this case, Cortana was doing things when the system was locked that it probably should not have been doing and Microsoft viewed it seriously enough to be a true vulnerability and not a simple design flaw.
Larry Trowell, associate principal consultant at Synopsys, added: While a fix for the vulnerability has been issued, there are still other areas in which these assistants can be used to carry out an attack.
He added: For example, I see no reason why the dolphin attacks (that came to light last year) triggering cell phone smart assistants to call numbers and launch apps could not be modified to attack a distracted user. The software is neat, interesting, and fun to use. It also opens up a lot of areas that possibly have not been thought through properly.
Clearly, meanwhile, if a malicious and skillful hacker is hanging about in your office or home having a chat with your computers voice assistant, then things are already pretty bad, but downloading Tuesdays patches may be judicious.