Cortana can be activated from the lock screen to run arbitrary commands
Enterprise network security researchers noticed some security issues regarding Cortana, the Microsoft voice assistant. Last Wednesday they described a vulnerability known as “Open Sesame” that would allow a hacker to bypass the Windows 10 block screen by exploiting the voice assistant, triggering a series of dangerous functions.
“Adding functionality to a locked screen may be inconvenient; no one has ever stopped to think: Can my computer be hacked via voice commands?” mentioned the enterprise network security specialists that detailed the “Open Sesame” vulnerability.
Thanks to Cortana’s universal access methods, specifically the default Microsoft Windows 10 support for its voice assistant, researchers were able to run local commands through a Windows 10 locked screen and perform non secure actions in addition.
The reason behind the Open Sesame vulnerability (tracked as CVE-2018-8140) is the fact that the lock screen on Windows 10 devices restricts the keyboard, but allows anyone to activate Cortana through a voice command. Then, once Cortana is activated, the lock screen no longer restricts its capabilities.
Once a hacker exploit the vulnerability, he/she could access the content of confidential files, navigate arbitrary websites, download arbitrary executables from the Internet and, in some circumstances, gain privileges over the system, according to the enterprise network security experts. In addition, the exploitation of this flaw does not require any external code, which makes the defenses resources like antivirus useless against the attack.
Part of the problem behind the attack is the fact that the user interface on the Windows 10 lock screen now has an application function to activate the voice assistant without the need to unlock the computer. In the past, the operating system made sure that the user interface was not accessible when the computer was locked, and therefore the developers did not need to think about it: “Now that this function was added, it is developers’ responsibility to solve the problem”, consider the specialists.
Experts also suggest disabling the voice assistant, at least on the lock screen.
According to enterprise network security experts from the International Institute of Cyber Security, the vulnerability was reported to Microsoft since April 18, although the company launched the security patches until June 18.