14 DAY TRIAL // Independent Israeli security researchers Tal Be'ery and Amichai Shulman discovered that it’s possible for hackers to bypass the password lock in Windows 10 and to take advantage of the way Cortana is implemented in the operating system to compromise any device and deploy malware.
Digital assistant Cortana is now available from the Windows 10 lock screen as well even if the computer is locked, but the always-listening behavior opens the door to a series of vulnerabilities which the two researchers exploited to deploy malware.
In an analysis for Motherboard, the two experts explain that if physical access to the target system is available, hackers could connect a USB network adapter and then using voice commands they can have the digital assistant access non-HTTPS websites.
Using malicious code, the network interface can automatically intercept the traffic to non-secure servers and then point the computer to other hosts serving malware, in the end infecting the machine without even unlocking it.
And this isn’t the only door that Cortana leaves open on a Windows 10 computer. The researchers say that connecting a target system to a Wi-Fi network that they controlled was as easy as clicking a few options on the lock screen even if access to the system was protected by a password.
Attacks expanding to network level
The worst thing that can happen due to these vulnerabilities is hackers compromising the entire network the target system is connected to. This is possible with ARM spoofing, a more complex method that involves re-routing traffic from a compromised system to other machines in the network.
While the vulnerability can be first exploited only by having physical access to a certain system, a potential attack can then be expanded to the entire network by playing the same voice commands through the speakers of the compromised host.
“So this attack is not only limited to the physical access scenario but also can be used by attackers to expand their access and jump from one computer to another,” Be'ery was quoted as saying. “[It] very much could be like a Hollywood movie where everyone is asleep and no one is in the office and the computers come to life and are shouting at each other.”
Microsoft has already acknowledged the bug and partially addressed it by forcing browsing on a locked machine to be directed to Bing instead of a different page. Researchers, however, warn that other commands are still available and they’ll continue to look into alternative ways to bypass the password protection on Windows 10.
More information on this project will be shared by the two researchers at the Kaspersky Analyst Security Summit this week.
