This days Cortana seems to be the perfect AI assistant, but according to the discoveries of Israeli information security researchers Tal Beâ€™ery and Amichai Shulman, Cortana is far from perfection as it offers hackers an easy gateway to hack Windows 10 PC despite if it is locked.
Cortana has been developed in a way that if enabled it listens and responds to voice commands at all times even when the computer is locked and the software also allows direct browsing to websites. TheÂ information security trainingÂ researchers claim that an attacker can hack a computer by issuing voice commands and force it to visit a non-HTTPS website.
In accordance to experts, the attack requires a USB network adapter which when attached to the victimâ€™s PC, the traffic to the PC is intercepted and redirected to the malicious website that the attacker has loaded with malware. Using a mouse, an attacker can connect the targeted PC to any Wi-Fi network. On the other hand, the attack method relies upon having physical access to the target machine, which serves as the only obstacle to attackers. But, the physical access is needed only for compromising the first computer and not to amplify the attack.
â€śSo this attack is not only limited to the physical access scenario but also can be used by attackers to expand their access and jump from one computer to another,â€ť Tal Beâ€™ery told Motherboard.
The information security training professionals explain; â€śWhen a computer is infected, it can be forced to communicate with other computers available on the local network and spread the infection using a technique called ARP Poisoning. This method allows an infected PC to trick the machines on the local wireless network to route their incoming traffic via the attackerâ€™s networkâ€ť.
Shulman noted that â€śeven when a machine is locked, you can choose the network to which that machine is attached. Itâ€™s interesting if itâ€™s to abuse a locked computer butâ€¦ Itâ€™s more interesting if it can be done remotely.â€ť
Microsoft was informed about this issue and the company took immediate measures by passing Cortanaâ€™s internet requests via Bing but the software still responds to requests when the PC is locked. To ensure that your computer stays protected, you need to disable Cortana on Windows 10 lock screen.
Tal Beâ€™ery said that the issue is caused by the developersâ€™ penchant to introduce new interfaces into computers without properly assessing their security implications.
Until the vulnerability is fixed,Â information security trainingÂ specialists suggest to protect computers users can configure it to password-lock after a specific duration when the machine is inactive, which would prevent someone from infecting the computer by gaining physical access.