2 min read

Windows 10 flaw allowed attackers to open malicious websites... even if your PC was locked

Graham CLULEY

March 09, 2018

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Windows 10 flaw allowed attackers to open malicious websites... even if your PC was locked

You may think your Windows 10 computer is locked, but is it really?

Israeli researchers Tal Be”ery and Amichai Shulman have discovered a way of just using voice commands to make locked Windows 10 computers visit a website under the control of malicious hackers… and potentially install malware.

The problem lies in Cortana, the voice assistant that Microsoft built into Windows 10. As Apple, for instance, has learnt to its cost on numerous occasions with Siri, unless properly controlled voice assistants can be a potential weakness on modern devices, opening opportunities for unauthorised users to perform functions from the lock screen.

As the researchers tell it, a malicious hacker could sit at a locked Windows 10 PC and insert a USB network adaptor. With that in place, a hacker can simply give a verbal command to Cortana to open the web browser and head to an unencrypted HTTP webpage.

The adapter inserted into the USB drive intercepts the request, but redirects the browser to a malicious webpage instead.

A YouTube video demonstrates the exploit in action:

As Motherboard explains, with one computer infected in an organisation there exists the possibility for an attacker to spread laterally to other computers on the same network, stealing information surreptitiously.

Why does Cortana continue to listen for commands when a Windows 10 PC is locked? Well, your guess is good as mine – but this is clearly a potential problem, especially when you consider that many will not have bothered to train their PC to only obey a single user’s voice.

For that reason, I recommend users disable voice commands entirely when the PC is locked. You want to talk to your computer? Take a few seconds to unlock it first.

The truth is that when someone has physical access to your computer, even if you have or locked it, it may only take them a minute or so to install malicious code. Even if you have logged off and turned off the power, there’s still the potential for a criminal to go into your BIOS and tell the computer to temporarily boot up from a USB stick containing malware.

When you come back five minutes later you really have no clue what’s been happening in your absence.

The vulnerability was responsibly disclosed to Microsoft, and has already patched the described attack by taking browser-based commands directly to the Bing search engine.

However, as there remains the potential for Cortana to execute other commands that could perhaps be hijacked by an attacker, I find myself asking once again whether voice assistants are really that useful for the majority of us. Do the benefits of a a voice assistant outweigh the risks?

All I can tell you is that, on my technology devices, I disable voice assistants wherever possible. Sometimes “progress” comes at a price – you may be wise to weigh up just how much “progress” you’re making before you pay dearly.

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths
Graham CLULEY

September 30, 2022

2 min read
Honolulu Man Sabotaged Former Employer’s Network and Business Using Still-Active Credentials Honolulu Man Sabotaged Former Employer’s Network and Business Using Still-Active Credentials
Silviu STAHIE

September 30, 2022

1 min read
North Korean Gang Uses Compromised Open Source Software to Distribute Malware, Researchers Find North Korean Gang Uses Compromised Open Source Software to Distribute Malware, Researchers Find
Silviu STAHIE

September 30, 2022

1 min read