Security researchers have identified new flaws in the Windows 10 voice assistant Cortana that could allow hackers to access locked systems.
In a blog post, Cedric Cochin and Steve Povolny, researchers of the McAfee Labs Advanced Threat Research team, said that locked Windows 10 devices with Cortana could enable an attacker with physical access to carry out two kinds of unauthorised browsing on the unpatched systems.
The flaws could let an attacker force Microsoft Edge to navigate to an attacker-controlled URL. A second flaw lets an attacker use a limited version of Internet Explorer 11 using the saved credentials of the victim.
"In the first scenario, a Cortana privilege escalation leads to forced navigation on a lock screen. The vulnerability does not allow an attacker to unlock the device, but it does allow someone with physical access to force Edge to navigate to a page of the attacker’s choosing while the device is still locked. This is not a case of BadUSB, man in the middle, or rogue Wi-Fi, just simple voice commands and interacting with the device’s touchscreen or mouse," said researchers.
The discovery builds on previous research by McAfee that found how hackers could use Cortana to access data, change a user’s password or run malicious code.
Cortana can offer users detailed information containing links from trusted websites and as a result, hackers misuse this for their own nefarious means.
"We can leverage this information to craft a fake Wikipedia entry, add enough content to get the review to succeed, add an official website link, and see what Cortana presents," said researchers.
But this approach would take time as Wikipedia editors would vet content and Microsoft’s Bing search engine would need to be aware of the entry. Researchers instead looked to hunt Wikipedia for unmaintained or dead official website links. Here researchers could then purchase the dead links.
"The next step is to write a script to parse the output, grab a list of domains, and check whether they are actually vacant. Many of them are still registered but do not serve any content; others are live despite the "dead link" tag. We end up with a list of domains, some more expensive than others, that are vacant," said researchers.
Once the domains are owned by an attacker, malware can be installed to exploit them. When a link is clicked on screen, the Edge browser retrieves this content and infect a Windows 10 system without unlocking it.
"How can we protect against this attack vector? You can disable Cortana on your lock screen. Microsoft should not allow navigation to untrusted websites until it receives permission from the authenticated user, confirming on login that the user wants to visit a site," said researchers.
Researchers said that a second flaw could enable hackers to misuse Cortana’s skills to bring up an Inter Explorer web page with access to social media sites. They said that this stripped-down version shares the autocomplete and credentials saved in the current Explorer session.
In theory, hackers could log into social media sites as a legitimate user and post comments as that user as well as impersonate that user with cached credentials.
"One potential attack scenario arises if a corporation offers a mechanism to reset Windows credentials via a web server but does not require users to reenter the old password. One could simply navigate to the reset link, input a new password, exit the limited navigator, and unlock the device with the newly set password, all from a locked computer," said the researchers.
Paul Ducklin, Senior Technologist at Sophos, told SC Media UK that users should "Put the 'lock' into 'lock screen'."
"Whether you've got Windows, Mac, Android, iOS or anything else, set things up so you have the smallest set of functions you can tolerate available from your lock screen. Voice assistants? Turn them off. Return missed calls without unlock? Turn it off. Notifications? Ideally, turn them all off. It's less convenient, for sure, but why have a strongly-locked door if you are going to cut holes for 15 different sorts of cat flap in it?" he said.