You may think your Windows 10 computer is locked, but is it really?
Israeli researchers Tal Be’ery and Amichai Shulman have discovered a way of just using voice commands to make locked Windows 10 computers visit a website under the control of malicious hackers… and potentially install malware.
The problem lies in Cortana, the voice assistant that Microsoft built into Windows 10. As Apple, for instance, has learnt to its cost on numerous occasions with Siri, unless properly controlled voice assistants can be a potential weakness on modern devices, opening opportunities for unauthorised users to perform functions from the lock screen.
As the researchers tell it, a malicious hacker could sit at a locked Windows 10 PC and insert a USB network adaptor. With that in place, a hacker can simply give a verbal command to Cortana to open the web browser and head to an unencrypted HTTP webpage.
The adapter inserted into the USB drive intercepts the request, but redirects the browser to a malicious webpage instead.
A YouTube video demonstrates the exploit in action:
As Motherboard explains, with one computer infected in an organisation there exists the possibility for an attacker to spread laterally to other computers on the same network, stealing information surreptitiously.
Why does Cortana continue to listen for commands when a Windows 10 PC is locked? Well, your guess is good as mine – but this is clearly a potential problem, especially when you consider that many will not have bothered to train their PC to only obey a single user’s voice.
For that reason, I recommend users disable voice commands entirely when the PC is locked. You want to talk to your computer? Take a few seconds to unlock it first.
The truth is that when someone has physical access to your computer, even if you have or locked it, it may only take them a minute or so to install malicious code. Even if you have logged off and turned off the power, there’s still the potential for a criminal to go into your BIOS and tell the computer to temporarily boot up from a USB stick containing malware.
When you come back five minutes later you really have no clue what’s been happening in your absence.
The vulnerability was responsibly disclosed to Microsoft, and has already patched the described attack by taking browser-based commands directly to the Bing search engine.
However, as there remains the potential for Cortana to execute other commands that could perhaps be hijacked by an attacker, I find myself asking once again whether voice assistants are really that useful for the majority of us. Do the benefits of a a voice assistant outweigh the risks?
All I can tell you is that, on my technology devices, I disable voice assistants wherever possible. Sometimes “progress” comes at a price – you may be wise to weigh up just how much “progress” you’re making before you pay dearly.
*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Graham Cluley. Read the original post at: https://hotforsecurity.bitdefender.com/blog/windows-10-flaw-allowed-attackers-to-open-malicious-websites-even-if-your-pc-was-locked-19665.html
The number of zero-day vulnerabilities that are exploited jumped in 2023, with enterprises becoming a larger target and spyware vendors…
Singapore, Singapore, March 28th, 2024, CyberwireGoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report that highlights…
Checkmarx has integrated its platform for securing application development environments with Wiz's CNAPP.
How Autonomous Pentesting with NodeZero Transformed University Protection The post Empowering Educational Compliance: Navigating the Future with Autonomous Pentesting in…
With the emergence of new cybersecurity regulations like the SEC’s incident disclosure rules and the EU’s NIS2 Directive, much attention…
Just like pilot awareness is crucial during unexpected aviation events, cybersecurity's traditional focus on infrastructure needs to shift to more…