Windows 10 flaw allowed attackers to open malicious websites… even if your PC was locked

You may think your Windows 10 computer is locked, but is it really?

Israeli researchers Tal Be’ery and Amichai Shulman have discovered a way of just using voice commands to make locked Windows 10 computers visit a website under the control of malicious hackers… and potentially install malware.

The problem lies in Cortana, the voice assistant that Microsoft built into Windows 10. As Apple, for instance, has learnt to its cost on numerous occasions with Siri, unless properly controlled voice assistants can be a potential weakness on modern devices, opening opportunities for unauthorised users to perform functions from the lock screen.

As the researchers tell it, a malicious hacker could sit at a locked Windows 10 PC and insert a USB network adaptor. With that in place, a hacker can simply give a verbal command to Cortana to open the web browser and head to an unencrypted HTTP webpage.

The adapter inserted into the USB drive intercepts the request, but redirects the browser to a malicious webpage instead.

A YouTube video demonstrates the exploit in action:

As Motherboard explains, with one computer infected in an organisation there exists the possibility for an attacker to spread laterally to other computers on the same network, stealing information surreptitiously.

Why does Cortana continue to listen for commands when a Windows 10 PC is locked? Well, your guess is good as mine – but this is clearly a potential problem, especially when you consider that many will not have bothered to train their PC to only obey a single user’s voice.

For that reason, I recommend users disable voice commands entirely when the PC is locked. You want to talk to your computer? Take a few seconds to unlock it first.

The truth is that when someone has physical access to your computer, even if you have or locked it, it may only take them a minute or so to install malicious code. Even if you have logged off and turned off the power, there’s still the potential for a criminal to go into your BIOS and tell the computer to temporarily boot up from a USB stick containing malware.

When you come back five minutes later you really have no clue what’s been happening in your absence.

The vulnerability was responsibly disclosed to Microsoft, and has already patched the described attack by taking browser-based commands directly to the Bing search engine.

However, as there remains the potential for Cortana to execute other commands that could perhaps be hijacked by an attacker, I find myself asking once again whether voice assistants are really that useful for the majority of us. Do the benefits of a a voice assistant outweigh the risks?

All I can tell you is that, on my technology devices, I disable voice assistants wherever possible. Sometimes “progress” comes at a price – you may be wise to weigh up just how much “progress” you’re making before you pay dearly.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Graham Cluley. Read the original post at: https://hotforsecurity.bitdefender.com/blog/windows-10-flaw-allowed-attackers-to-open-malicious-websites-even-if-your-pc-was-locked-19665.html

Recent Posts

Google: Zero-Day Attacks Rise, Spyware and China are Dangers

The number of zero-day vulnerabilities that are exploited jumped in 2023, with enterprises becoming a larger target and spyware vendors…

45 mins ago

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

Singapore, Singapore, March 28th, 2024, CyberwireGoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report that highlights…

1 hour ago

Checkmarx Aligns With Wiz to Improve Application Security

Checkmarx has integrated its platform for securing application development environments with Wiz's CNAPP.

1 hour ago

Empowering Educational Compliance: Navigating the Future with Autonomous Pentesting in Academia

How Autonomous Pentesting with NodeZero Transformed University Protection The post Empowering Educational Compliance: Navigating the Future with Autonomous Pentesting in…

2 hours ago

Cyber Risk Management: A Beginner’s Guide

With the emergence of new cybersecurity regulations like the SEC’s incident disclosure rules and the EU’s NIS2 Directive, much attention…

4 hours ago

Cybersecurity Infrastructure Investment Crashes and Burns Without Governance

Just like pilot awareness is crucial during unexpected aviation events, cybersecurity's traditional focus on infrastructure needs to shift to more…

4 hours ago