The Microsoft Windows intelligent digital assistant, Cortana, looked pretty dumb this week after revelations that it enabled the execution of arbitrary commands with elevated privileges on a locked machine.
Users who hadn't disabled Cortana assistance at the lock screen were at risk from any knowledgeable attacker with physical access to the machine. CVE-2018-8140, the Cortana Elevation of Privilege Vulnerability Security Vulnerability, has been fixed in the latest Microsoft security update by ensuring Cortana considers status when retrieving information from input services.
Researchers at McAfee who disclosed the vulnerability to Microsoft, discovered that simply typing while Cortana starts to listen to a voice query on a locked device brings up a Windows contextual menu. "We now have a contextual menu, displayed on a locked Windows 10 device" the researchers reveal in the technical tear down "what could go wrong?" Quite a lot, actually.
The results presented by Cortana come from indexed files and applications, including file content for some applications. Hovering over any of the filename matches presents the attacker with the full path. If a file content matching result, they might be presented with the content of the file itself. McAfee researchers pointed out that the entire user folder structure is indexed, including default locations and also mappings such as OneDrive.
But that was just the beginning, as well as the potential for harvesting personal data there was the small matter of being able to execute code from the lock screen... Steve Povolny, head of advanced threat research at McAfee, told SC Media UK that "we demonstrated that Cortana itself can be used to bypass the login screen and run arbitrary code on a locked Windows 10 device!
This was an attack vector that simply wasn't present before the implementation of Cortana. As the saying goes: with great power comes great responsibility." Given that 'intelligent' digital assistants using voice control are becoming an increasingly everyday feature both in the home and workplace, on laptops, mobiles and IoT devices, just how broad is the attack surface being exposed here?
“If businesses intend to use voice technology for the majority of customer interactions in the near-future they need to make sure that this method of interaction is as secure as any other" warns Pindrop CEO, Vijay Balasubramaniyan. "At the moment biometric checks can be easily fooled by a synthesised voice while phone numbers that will be used to intercept virtual assistants can be spoofed. As voice-activated assistants increase in usage, attacks will follow."
Larry Trowell, associate principal consultant at Synopsys, points out that while a fix for the Cortana vulnerability has been issued, there are still other areas in which these assistants can be used to carry out an attack. "I see no reason why the 'dolphin' attacks triggering mobile phone smart assistants to call numbers and launch apps couldn't be modified to attack a distracted user" Trowell told SC, adding "the software is neat, interesting, and fun to use - it also opens up a lot of areas that possibly haven't been thought through properly."
Lane Thames, senior security researcher at Tripwire, doesn't see evidence of much greater exposure, from a computer or computing device perspective, than any other system because voice control is just another human input device (HID). As such, the risk assumed by the voice control attack surface is limited. "However, from an application perspective" Thames insists "the exposure is huge compared to a traditional application such as email or web browsing, and this is due to the 'smart assistance' provided by this technology."
Generally speaking, the smartness comes from the service's back end cloud that uses technologies such as Big Data, Artificial Intelligence, Machine Learning, massive search databases, etc. This is where the functionality of the assistant comes from. You might say the assistant is just a messenger. "These back end services from both providers and third-parties are where the true attack surface for these devices come from, not necessarily the aspect of using voice."
Given that some futurologists view the Internet as being something of a prelude to the emergence of AI-enabled robots, the security problems with current digital assistants that claim to be intelligent or driven by AI could easily be a precursor of what's yet to come.
Unless lessons are learned, and learned quickly. "Every additional feature adds another potential point of failure" as Sean Sullivan, security advisor with F-Secure told SC Media "there's a good reason why Cortana isn't enabled by default, and why many organisations disable it entirely by policy." That said, this is also a physical attack so it's important to remember that security isn't just about the software but also about the risk decisions made by operators. "Some people will need features for accessibility" Sullivan continues "care should be taken to provide those individuals with security awareness training, and IT should know where such computers sit, and what happens around it."
We'll leave the last word to McAfee's Steve Povolny, who says that the 'should voice assistants be disabled by security serious users' question is the same one that is asked for every newly introduced technology as flaws are inevitably found. "The reason we research and publish details on vulnerabilities like the Cortana login bypass" Povolny says "is to enable the products as opposed to disable." Indeed, the McAfee advice was to simply turn off the Cortana interaction from the lock screen, unless absolutely necessary. "This is an already supported option within all versions of Windows 10" Povolny concludes "and effectively eliminates any risk of exposure to this critical issue..."