Microsoft's digital assistant, Cortana is deeply integrated within Windows 10. So much so that the company added it to the OOBE (Out of Box Experience) set up last year. A user may also use the assistant when the system is locked- a feature introduced in 2015. Two independent researchers from Israel found out a major loophole that may be manipulated by hackers with that functionality.
The flaw, which Microsoft has since fixed, allowed attackers to bypass the password-locked Windows system with the help of Cortana. Tal Be'ery and Amichai Shulman were able to separately prove that an attacker with a USB stick and physical access to the device might do some serious damage without the owner's knowledge.
Shulman told Motherboard:
"We start with proximity because it gives us the initial foothold in [a] network. We can attach the computer to a network we control, and we use voice to force the locked machine into interacting in an insecure manner with our network."
Since Windows 10 allows a device to connect to a different network while it is still locked, an attacker may connect his USB with a network adapter and command the assistant to open an unencrypted website (web address not containing https). Once Cortana opens the website (while the system is still locked), the attacker's malicious adapter will be able to intercept the session to send the device to a harmful/ malware-ridden website, instead- causing considerable damage to the PC.
Shulman conceded that the flaw would be much more "interesting" if it can be carried out remotely. The two created a proof-of-concept for this purpose called Newspeak or "Fake News" Cortana, which observes all the Cortana activity on every device on a network. For instance, if a user commands the assistant to open CNN.com, the hacker's proxy intercepts that request and sends them to a malicious page instead.
Be'ery claimed that the main issue lies with newer interfaces that weren't prone to security oversight:
"We still have this bad habit of introducing new interfaces into machines without fully analyzing the security implications of it. Every new machine interface that we introduce creates new types of vehicles to carry an attack vector into your computer."
Microsoft has since issued a fix to the problem. Now, a command to open an unencrypted website goes through Bing. However, the researchers remain skeptical. They will continue to look for any further flaws that may be exploited by the attackers. Another method that may mitigate similar attacks is to "train" the digital assistant to respond to only your voice in Cortana settings.