A vulnerability in the Windows 10 voice assistant, Cortana, allows attackers to open malicious websites on a user's device even when a PC is locked.
Israeli researchers Tal Be'ery and Amichai Shulman discovered that they could bypass password locks to instruct a device to visit websites since the devices continue to listen for voice commands even when locked and because many users haven't bothered to train the voice assistant to only obey a single user's commands, the researchers demonstrated in a YouTube presentation.
Threat actors could insert a USB network adaptor to a locked device and simply give a verbal command instructing Cortana to open the web browser and head to an unencrypted HTTP webpage. The adapter inserted into the USB drive would then intercept the request and redirects the browser to a malicious webpage instead.
The researchers disclosed the vulnerability to Microsoft and the flaw has since been patched by taking browser-based commands function directly to the Bing search engine. Researchers warn voice assistants can be a potential weakness on modern devices unless they are properly controlled and recommend users disable voice commands entirely when the PC is locked.