At least five of the security flaws of Microsoft's Cortana personal assistant software were discovered, Israeli security researchers announced at the Black Hat Security Conference on August 8. Only three of these flaws have been fixed, but Microsoft is trying to fix other flaws.
I showed how to use a Cortana voice command to run installed software, navigate a malicious Web site, open malicious Word documents, and read confidential files. To make matters worse, Microsoft allows third parties to add new "skills" to Cortana in the form of plugins to Cortana's cloud services.
Leich's researcher, Amichai Shulman, says, "What goes wrong? This is very useful unless you go to Cortana's settings and use it on the lock screen.
"Cortana is not the only voice interface of my laptop," Shulman explains. "This is a really intentional solution system, converting human intent to computer behavior"
Cortana actually has multiple entries. Of course, there are voice, mouse movement and click, keyboard movement, touch screen action. The key to these attacks is that if you call Cortana with a voice command, other input methods are unlocked even if the lock screen is on.
Keyboard attack by Cortana
If Cortana is in active mode, users or users who have access to the locked computer at that time can use the keyboard to enter items into the computer. All you have to do is say "Hello Cortana". Researchers called this "open sesame" attack.
Researchers used the Cortana keyboard to navigate the Windows file system and found the chiptune version of the Imperial Death March theme after the user showed a demonstration video calling Cortana. "Star Wars".
Ron Marcovich, a student in software engineering at Technion Israel Institute of Technology and colleagues Yuval Ron said, "In this case it was a song, but I want to do something with malware.
Another demonstration showed that users using Cortana are running commands with Windows PowerShell, one of the most powerful management utilities from the lock screen.
You can not actually open files from the lock screen using Cortana, but you can preview them. Cortana will display not only the thumbnails of the photos on the file system but also a text file (showing the password of the first three lines in a text file named "Words passwords" as a separate demo).
You may think that it is not a problem as an attacker needs to access the machine. There are, however, many scenarios that the user of the machine incorrectly believes that the machine is locked off the screen and the machine is safe. The most well-known scenario is the classic 'devil maid' attack by hotel staff.
"By abusing open sesame, e-mail made strikers have complete control over locked machines," Be Eelye says. "Although attackers have limited physical access within a limited time, they are also agents of evil offices, bad colleagues, and bad border control agents.
Fixes were explained very to make Cortana behave differently when the screen is locked. Microsoft rejected this issue in the June of 2020 Monthly Update series. However, after that, researchers found keyboard-based lock screen bypass based on Cortana.
Cortana's voice attack
However, Cortana does not have to enter something to betray the security of the computer. You can infect your computer with malware just by moving the web browser to a malicious web site using voice commands. Once again, the lock screen may remain locked and the computer user may not be nearby. Researchers called the attack "Esau's voice".
In the demonstration of the video, the user says "Hello, Cortana, go to BBC.com". Researchers violated the local network and the lock screen was enabled The default browser loaded malicious software on the machine browsing the fake BBC website.
For this attack to be effective, an attacker does not have to compromise the local network. He could simply ask Cortana to navigate web pages that attackers knew malicious. If the page is sufficiently new, it may not be added to the known malicious URL list that the latest browser uses to block dangerous sites.
Microsoft fixed this attack by asking Cortana to search the Web site called by voice command with Bort and display a list of links instead of going directly to the site. In this way, fake websites and malicious websites are more easily deleted.
However, as with the Open Sesame attack, at least one variant of the Esau voice attack is reported to Microsoft working on the patch.
Malicious Cortana Plugin
These fixes will not be applied if Cortana can run malicious code even if the computer's screen is locked. Cortana's cloud service also accepts "skills" from third parties, ie plugins and scripts, where all Cortana actions are done.
"There is a way to invoke the browser process on the client machine and navigate to the URL chosen in the third party jurisdiction," says Shulman. "This URL may provide a browser vulnerability to support machines.
In fact, he added that browser abuse is also not necessary, he added.
"You can call Microsoft Office applications using special URLs," Shulman says. "I created a URL to open a Word document and sent a malicious Word exploit."
Shulman played a demo clip where Word documents are displayed on the screen when the user enters the correct password and unlocks the screen lock.
"We were almost completely attacked," Challman said. "Because the user must obtain consent, I say" almost ".
However, it turned out that you can agree from the locked screen. "You can log in to Gmail from a locked screen, Cortana says," Can you get your permission? You will say, "Of course!" And the attack ended. "
This defect has also been recently fixed by Microsoft, so you can not call third party skills from the locked screen.
How to bring Cortana online
By default, Cortana is enabled and will listen to Windows 10 commands even if the lock screen is enabled. Fortunately, disabling is easy. When you type something into the search bar at the bottom left of the Windows 10 screen, the Cortana window will be displayed. Next, click the gear icon to access the Cortana setting and disable "Use Cortana even if the device is locked".
"We must understand that the lock screen is not magical," Beery said. "This is another workstation with very limited access.If Microsoft adds more functions to the lock screen, attack surface increases and security decreases.
I hope you like the news Here’s How Cortana Helps The Bad Guys To Hack Your PC. Stay Tuned For More Updates!