Operations

6/22/2018
01:20 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Cracking Cortana: The Dangers of Flawed Voice Assistants

Researchers at Black Hat USA will show how vulnerabilities in Microsoft's Cortana highlight the need to balance security with convenience.

Security vs. convenience is a delicate balance to strike with new technology designed to make our lives easier. Vulnerabilities in voice assistants like Microsoft's Cortana and Amazon's Alexa are perfect examples of how the rush to simplify can cause complicated problems down the road.

Consider Cortana, which is enabled by default in Windows 10. Cortana was built to facilitate vocal interaction with laptops, desktops, smartphones, and IoT devices running Microsoft's newest OS, and it's becoming more common in the enterprise as organizations deploy Windows 10 across their environments. The rollout is leaving holes in enterprise defense because Cortana, like other voice assistants, prioritizes users' comfort over security.

Amichai Shulman, cofounder and CTO of Imperva, has spent the past year exploring the technology, infrastructure, and protocols of voice assistants with his colleague, security researcher Tal Be'ery. He says Cortana serves as a weak interface over the otherwise secure Windows operating system and has discovered multiple vulnerabilities to support this.

"Cortana takes a stable environment, reasonably secured, and adds this new type of interface on top of it," Shulman explains. He and Be'ery will present their findings on Cortana flaws in August at Black Hat USA in a session entitled "Open Sesame: Picking Locks with Cortana."

Want Data? All You Have to Do Is Ask

It didn't take long for the researchers to learn the default setting in Windows 10 lets anyone communicate with Cortana – even when the machine is locked. "We started looking for methods to bypass the lock mechanism using voice," says Shulman.

They first found the Voice of Esau (VoE) exploit, which let attackers take over a locked Windows 10 device by combining voice commands with network manipulation to put a malicious payload on a target machine.

VoE was patched by Microsoft in August 2017; still, Shulman believed there were more vulnerabilities to be uncovered. He continued his research, testing concepts like vocal malware along with students at Technion, the Israel Institute of Technology. There are local and Internet-based extensions for Cortana; a whole set of protocols and APIs that can be attacked, he says.

One of the flaws they discovered, dubbed Open Sesame, will be the core focus of their Black Hat session. CVE-2018-8140 was recently addressed in Microsoft's June Patch Tuesday update.

Open Sesame is more powerful than VoE, he says, and allows attackers to take over a locked Windows 10 machine and execute arbitrary code. Exploiting this vulnerability would let anyone view sensitive files, browse online, download and launch arbitrary executables from the Internet, and in some cases gain elevated privileges. A threat actor wouldn't need external code to pull this off, so antivirus and IPS tools wouldn't pick up on the attack.

"There are a number of scenarios where close proximity attacks are being used – computers in hotel rooms, airport security attacks … just give your locked computer to someone to inspect and in a matter of seconds that computer can be compromised," Shulman explains.

A Conversation on Convenience

The reason behind these vulnerabilities is twofold, Shulman says. For starters, Microsoft tried to pitch a new interface, built on accessibility and comfort, onto a secured multi-purpose computing environment. "When you do that, there are glitches," he points out.

It is beneficial to have some commands available on a locked machine. Asking about the weather, for example, is benign. However, it's tricky to enable certain functionalities while denying operations that could potentially compromise the machine.

The second problem: Microsoft's assistant is more than a voice interface. Shulman calls it "an intent resolution engine." Cortana takes natural language input and conveys it into an action performed by the machine. However, it accepts both written and spoken commands. Once the system is invoked with "Hey Cortana," an attacker can enter keyboard input and execute code on a locked device.

As part of their discussion, Shulman and Be'ery will address defense mechanisms for protecting against these types of attacks. One lesson, at least for enterprise environments, is to make sure the enhanced interface is off by default. Vendors don't like to launch new services and not have them active by default, Shulman says, but in the workplace "it's the prudent thing to do."

The team will demonstrate the Open Sesame vulnerability at Black Hat There are three more Cortana vulnerabilities Shulman hopes to discuss in their presentation but they are waiting on confirmation before they can publicly share more details.

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Turn the NIST Cybersecurity Framework into Reality: 4 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1674
PUBLISHED: 2018-09-20
IBM Business Process Manager 8.5 through 8.6 and 18.0.0.0 through 18.0.0.1 are vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 145109.
CVE-2018-1800
PUBLISHED: 2018-09-20
IBM Sterling B2B Integrator Standard Edition 5.2.6.0 and 6.2.6.1 could allow a local user to obtain highly sensitive information during a short time period when installation is occuring. IBM X-Force ID: 149607.
CVE-2018-3864
PUBLISHED: 2018-09-20
An exploitable buffer overflow vulnerability exists in the Samsung WifiScan handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The strcpy overflows the destination buffer, which has a size of 40 bytes. An attacker can send an arbitrarily long &quot...
CVE-2018-3865
PUBLISHED: 2018-09-20
An exploitable buffer overflow vulnerability exists in the Samsung WifiScan handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The strcpy overflows the destination buffer, which has a size of 40 bytes. An attacker can send an arbitrarily long &quot...
CVE-2018-17254
PUBLISHED: 2018-09-20
The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter.